Skip to main content

CVE-2025-4774: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in leap13 Premium Addons for Elementor

Low
VulnerabilityCVE-2025-4774cvecve-2025-4774cwe-79
Published: Tue Jun 10 2025 (06/10/2025, 11:22:51 UTC)
Source: CVE Database V5
Vendor/Project: leap13
Product: Premium Addons for Elementor

Description

The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-countdown attribute of Countdown widget in all versions up to, and including, 4.11.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AI-Powered Analysis

AILast updated: 07/11/2025, 01:05:19 UTC

Technical Analysis

CVE-2025-4774 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Premium Addons for Elementor plugin for WordPress, specifically affecting all versions up to and including 4.11.8. The vulnerability arises from improper input sanitization and output escaping of the 'data-countdown' attribute in the Countdown widget. Authenticated attackers with Contributor-level access or higher can exploit this flaw by injecting malicious scripts into pages via the vulnerable attribute. These scripts are then stored and executed in the context of any user who accesses the compromised page, potentially leading to session hijacking, privilege escalation, or unauthorized actions performed on behalf of the victim user. The vulnerability has a CVSS 3.1 base score of 6.4, indicating a medium severity level, with an attack vector of network, low attack complexity, requiring privileges (Contributor or above), no user interaction, and impacting confidentiality and integrity with a scope change. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability is classified under CWE-79, which relates to improper neutralization of input during web page generation, a common cause of XSS issues. Given that Elementor is a widely used WordPress page builder and Premium Addons is a popular extension, the vulnerability poses a significant risk to websites using these components, especially those allowing multiple users with contributor or higher roles to edit content.

Potential Impact

For European organizations, this vulnerability can lead to several security risks. Exploitation could allow attackers to execute arbitrary JavaScript in the context of the affected website, potentially stealing session cookies, redirecting users to malicious sites, or performing unauthorized actions on behalf of legitimate users. This is particularly concerning for organizations that rely on WordPress sites for customer interaction, e-commerce, or internal portals where contributor-level access is granted to multiple users. The confidentiality of user data could be compromised, and the integrity of website content could be undermined, damaging organizational reputation and trust. Additionally, the scope change in the CVSS vector suggests that the vulnerability could affect resources beyond the initially vulnerable component, potentially impacting other parts of the website or connected systems. Given the widespread use of WordPress and Elementor in Europe, especially among SMEs and digital agencies, the risk of targeted exploitation or automated attacks could increase if the vulnerability becomes publicly known or exploited.

Mitigation Recommendations

Organizations should immediately audit their WordPress installations to identify the use of Premium Addons for Elementor, particularly versions up to 4.11.8. Until an official patch is released, the following specific mitigations are recommended: 1) Restrict Contributor-level and higher permissions to trusted users only, minimizing the risk of malicious script injection. 2) Implement Web Application Firewall (WAF) rules that detect and block suspicious payloads targeting the 'data-countdown' attribute or typical XSS attack patterns. 3) Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and limit the domains from which scripts can be loaded, reducing the impact of injected scripts. 4) Regularly monitor website content for unexpected changes or injected scripts, using automated scanning tools specialized in detecting stored XSS. 5) Educate content editors about the risks of inserting untrusted content and enforce strict input validation on any custom forms or widgets. 6) Plan for timely updates to the plugin once a patch is available, and test updates in a staging environment to avoid service disruption. 7) Consider temporarily disabling or replacing the vulnerable widget if feasible, to eliminate the attack vector.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Wordfence
Date Reserved
2025-05-15T13:39:53.432Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 68487f561b0bd07c3938a577

Added to database: 6/10/2025, 6:54:14 PM

Last enriched: 7/11/2025, 1:05:19 AM

Last updated: 7/31/2025, 11:11:54 AM

Views: 11

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats