CVE-2025-4566 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Elementor Website Builder – More Than Just a Page Builder plugin for WordPress, affecting all versions up to and including 3.30.2. The vulnerability arises from improper neutralization of input during web page generation, specifically within the Text Path widget's data-text DOM element attribute. Due to insufficient input sanitization and output escaping, authenticated users with Contributor-level access or higher can inject arbitrary JavaScript code into pages. This malicious script executes whenever any user accesses the compromised page, but the attack vector is limited to Chrome and Edge browsers. The vulnerability is classified under CWE-79 and has a CVSS 3.1 base score of 6.4, indicating a medium severity level. The attack requires low attack complexity, no user interaction, and privileges equivalent to Contributor role or above, with a scope change as the vulnerability affects other components beyond the initially compromised element. Although no known exploits are currently reported in the wild, the stored nature of the XSS makes it particularly dangerous as the injected script persists and can affect multiple users over time. The vulnerability impacts confidentiality and integrity by enabling script injection that could steal session tokens, perform actions on behalf of users, or manipulate page content. Availability impact is not significant. The lack of a patch link suggests that a fix may not yet be publicly available, emphasizing the need for immediate mitigation steps.

For European organizations, this vulnerability poses a significant risk, especially those relying on WordPress sites built with the Elementor plugin for content management and customer engagement. Exploitation could lead to session hijacking, unauthorized actions, defacement, or distribution of malware through trusted websites, undermining user trust and potentially violating GDPR requirements related to data protection and breach notification. The limitation to Chrome and Edge browsers still covers a large portion of European users, increasing the attack surface. Organizations in sectors such as finance, e-commerce, healthcare, and government, which often use WordPress for public-facing sites, could face reputational damage and regulatory scrutiny if exploited. The requirement for Contributor-level access means insider threats or compromised accounts could be leveraged to exploit this vulnerability, highlighting the importance of strict access controls. Additionally, the persistence of stored XSS means that once injected, malicious scripts can affect multiple users over time, amplifying the impact.

1. Immediately audit user roles and permissions to ensure that only trusted users have Contributor-level or higher access, minimizing the risk of malicious script injection. 2. Implement strict input validation and sanitization on all user-generated content, particularly in the Text Path widget's data-text attribute, using server-side controls where possible. 3. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. 4. Monitor and review website content regularly for suspicious or unauthorized scripts, using automated scanning tools tailored for WordPress and Elementor. 5. Encourage users to use browsers other than Chrome and Edge temporarily if possible, as the vulnerability currently affects only these browsers. 6. Stay alert for official patches or updates from Elementor and apply them promptly once available. 7. Consider implementing Web Application Firewalls (WAF) with rules designed to detect and block XSS payloads targeting Elementor plugins. 8. Educate content contributors about the risks of injecting untrusted content and enforce secure content creation policies.