CVE-2025-4479 is a stored Cross-Site Scripting (XSS) vulnerability identified in the ElementsKit Elementor Addons and Templates plugin for WordPress, specifically impacting the image comparison widget's before/after label fields. This vulnerability exists due to improper neutralization of input during web page generation (CWE-79), where user-supplied attributes are not adequately sanitized or escaped before being rendered in the page. As a result, authenticated users with contributor-level privileges or higher can inject arbitrary JavaScript code into these labels. When any user, including administrators or visitors, accesses the compromised page, the injected script executes in their browser context. This can lead to session hijacking, privilege escalation, defacement, or redirection to malicious sites. The vulnerability affects all versions up to and including 3.5.2 of the plugin. The CVSS 3.1 base score of 6.4 reflects that the attack can be performed remotely over the network, requires low attack complexity, and only requires privileges equivalent to a contributor role, but no user interaction is needed for exploitation. The scope is changed because the vulnerability affects components beyond the attacker’s privileges, potentially impacting other users. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. This vulnerability is significant because WordPress is widely used globally, and ElementsKit is a popular addon for Elementor, a leading page builder plugin, increasing the potential attack surface.

The primary impact of CVE-2025-4479 is the compromise of confidentiality and integrity of user sessions and data on affected WordPress sites. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of site visitors and administrators, potentially stealing authentication cookies, performing actions on behalf of users, or defacing content. This can lead to unauthorized access, data leakage, and reputational damage. While availability is not directly impacted, the injected scripts could be used to disrupt site functionality or redirect users to malicious domains. Organizations relying on ElementsKit for their WordPress sites, especially those with multiple contributors or public-facing content, face increased risk of targeted attacks or automated exploitation once proof-of-concept exploits become available. The vulnerability's ease of exploitation and broad user base make it a moderate threat that could facilitate further compromise within an organization's web infrastructure.

To mitigate CVE-2025-4479, organizations should first verify if they are using the ElementsKit Elementor Addons and Templates plugin version 3.5.2 or earlier. If so, immediate action is recommended. Since no official patch is currently linked, administrators should consider the following specific steps: 1) Restrict contributor-level user privileges to trusted individuals only, minimizing the risk of malicious input. 2) Implement a Web Application Firewall (WAF) with rules to detect and block typical XSS payloads targeting the image comparison widget parameters. 3) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. 4) Regularly audit and sanitize existing content in the image comparison widget labels to remove any injected scripts. 5) Monitor site logs and user activity for suspicious behavior indicative of exploitation attempts. 6) Stay alert for official patches or updates from the vendor and apply them promptly once available. 7) Consider disabling or replacing the vulnerable widget if immediate patching is not feasible. These targeted mitigations go beyond generic advice by focusing on the specific plugin component and attack vector.