CVE-2025-4566 is a stored Cross-Site Scripting vulnerability classified under CWE-79 affecting the Elementor Website Builder plugin for WordPress, specifically versions up to and including 3.30.2. The vulnerability arises from improper neutralization of input during web page generation, particularly in the data-text attribute of the Text Path widget's DOM element. Due to insufficient input sanitization and output escaping, authenticated users with Contributor-level privileges or higher can inject arbitrary JavaScript code into pages. When other users access these pages using Chrome or Edge browsers, the injected scripts execute in their browsers, potentially leading to session hijacking, defacement, or unauthorized actions performed on behalf of the victim. The attack vector requires network access but no user interaction beyond page viewing. The vulnerability has a CVSS 3.1 base score of 6.4, indicating medium severity, with the vector string AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, meaning it is remotely exploitable with low complexity, requires privileges, no user interaction, affects confidentiality and integrity, and has a changed scope. No patches or known exploits are currently available, but the vulnerability's presence in a widely used WordPress plugin makes it a significant concern for website administrators. The issue is limited to Chrome and Edge browsers due to how these browsers handle the affected DOM attribute.

The impact of CVE-2025-4566 is primarily on the confidentiality and integrity of affected websites and their users. Successful exploitation allows authenticated attackers with Contributor-level access to inject malicious scripts that execute in the browsers of visitors using Chrome or Edge. This can lead to theft of session cookies, unauthorized actions performed on behalf of users, defacement of website content, or distribution of malware. Although the vulnerability does not affect availability, the compromise of user data and trust can have severe reputational and operational consequences. Organizations relying on Elementor for their WordPress sites, especially those with multiple contributors or editors, face increased risk of insider or compromised account abuse. Given the widespread use of Elementor globally, the vulnerability could affect a large number of websites, including e-commerce, corporate, and informational sites, potentially exposing sensitive user data or enabling further attacks within the organization’s network.

To mitigate CVE-2025-4566, organizations should immediately upgrade Elementor Website Builder to a version beyond 3.30.2 once a patch is released. Until then, restrict Contributor-level and higher privileges to trusted users only and review user roles to minimize unnecessary permissions. Implement Web Application Firewall (WAF) rules to detect and block suspicious payloads targeting the data-text attribute in the Text Path widget. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts, particularly limiting inline scripts and scripts from untrusted sources. Regularly audit website content for injected scripts or anomalies, especially on pages edited by contributors. Additionally, monitor logs for unusual activity from authenticated users and educate contributors about the risks of injecting untrusted content. Consider temporarily disabling or removing the Text Path widget if feasible. Finally, ensure that browsers used by site administrators and users are updated, and consider advising users to use browsers not affected by this vulnerability until remediation is complete.