CVE-2025-46472 is a Stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, affecting the WordPress plugin 'The Pack Elementor addons' developed by webangon. This vulnerability arises from improper neutralization of input during web page generation, allowing malicious actors to inject and store arbitrary JavaScript code within the plugin's data fields. When a victim visits a page rendered by the vulnerable plugin, the malicious script executes in the context of the victim's browser. This can lead to session hijacking, credential theft, unauthorized actions on behalf of the user, or distribution of malware. The vulnerability affects all versions up to and including 2.1.2, with no patch currently available as of the published date (April 24, 2025). No known exploits have been reported in the wild yet, but the nature of stored XSS makes it a significant risk once weaponized. The plugin is commonly used to extend Elementor, a popular WordPress page builder, which is widely deployed across many websites, including those of European organizations. The lack of authentication requirements for exploitation depends on the plugin’s configuration and the context in which user input is accepted and stored. Given the stored nature of the XSS, the attack vector typically involves tricking an administrator or content editor into entering malicious content or exploiting user-generated content fields. The vulnerability’s medium severity rating reflects the moderate difficulty of exploitation and the potential impact on confidentiality and integrity of user sessions and data.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on WordPress sites enhanced by The Pack Elementor addons for public-facing or internal portals. Successful exploitation could lead to theft of user credentials, including those of administrators, enabling further compromise of the website or backend systems. This could result in defacement, data leakage, or unauthorized administrative actions. Additionally, attackers could use the vulnerability to distribute malware or phishing content to site visitors, damaging organizational reputation and potentially violating GDPR requirements related to data protection and breach notification. The impact is particularly critical for sectors with high reliance on web presence such as e-commerce, media, education, and government services. Since stored XSS can affect any user visiting the compromised page, the scope includes all site visitors, increasing the risk of widespread impact. The vulnerability also poses risks to internal users if the plugin is used on intranet or employee portals, potentially leading to lateral movement within corporate networks.

1. Immediate mitigation involves disabling or removing The Pack Elementor addons plugin until a security patch is released. 2. Implement strict input validation and output encoding on all user-supplied data fields within the plugin’s configuration or content areas to prevent injection of malicious scripts. 3. Employ Content Security Policy (CSP) headers to restrict execution of unauthorized scripts in browsers accessing the affected sites. 4. Monitor web server and application logs for unusual input patterns or script injection attempts targeting the plugin. 5. Educate site administrators and content editors about the risks of entering untrusted content and encourage use of trusted sources only. 6. Regularly back up website data and configurations to enable quick restoration in case of compromise. 7. Once a patch is available, prioritize prompt update of the plugin to the fixed version. 8. Conduct security audits and penetration testing focusing on web application vulnerabilities, especially XSS, to identify and remediate similar issues proactively.