CVE-2025-4774 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Premium Addons for Elementor plugin for WordPress, specifically affecting all versions up to and including 4.11.8. The vulnerability arises from improper input sanitization and output escaping of the 'data-countdown' attribute in the Countdown widget. Authenticated attackers with Contributor-level access or higher can exploit this flaw by injecting malicious scripts into pages via the vulnerable attribute. These scripts are then stored and executed in the context of any user who accesses the compromised page, potentially leading to session hijacking, privilege escalation, or unauthorized actions performed on behalf of the victim user. The vulnerability has a CVSS 3.1 base score of 6.4, indicating a medium severity level, with an attack vector of network, low attack complexity, requiring privileges (Contributor or above), no user interaction, and impacting confidentiality and integrity with a scope change. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability is classified under CWE-79, which relates to improper neutralization of input during web page generation, a common cause of XSS issues. Given that Elementor is a widely used WordPress page builder and Premium Addons is a popular extension, the vulnerability poses a significant risk to websites using these components, especially those allowing multiple users with contributor or higher roles to edit content.

For European organizations, this vulnerability can lead to several security risks. Exploitation could allow attackers to execute arbitrary JavaScript in the context of the affected website, potentially stealing session cookies, redirecting users to malicious sites, or performing unauthorized actions on behalf of legitimate users. This is particularly concerning for organizations that rely on WordPress sites for customer interaction, e-commerce, or internal portals where contributor-level access is granted to multiple users. The confidentiality of user data could be compromised, and the integrity of website content could be undermined, damaging organizational reputation and trust. Additionally, the scope change in the CVSS vector suggests that the vulnerability could affect resources beyond the initially vulnerable component, potentially impacting other parts of the website or connected systems. Given the widespread use of WordPress and Elementor in Europe, especially among SMEs and digital agencies, the risk of targeted exploitation or automated attacks could increase if the vulnerability becomes publicly known or exploited.

Organizations should immediately audit their WordPress installations to identify the use of Premium Addons for Elementor, particularly versions up to 4.11.8. Until an official patch is released, the following specific mitigations are recommended: 1) Restrict Contributor-level and higher permissions to trusted users only, minimizing the risk of malicious script injection. 2) Implement Web Application Firewall (WAF) rules that detect and block suspicious payloads targeting the 'data-countdown' attribute or typical XSS attack patterns. 3) Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and limit the domains from which scripts can be loaded, reducing the impact of injected scripts. 4) Regularly monitor website content for unexpected changes or injected scripts, using automated scanning tools specialized in detecting stored XSS. 5) Educate content editors about the risks of inserting untrusted content and enforce strict input validation on any custom forms or widgets. 6) Plan for timely updates to the plugin once a patch is available, and test updates in a staging environment to avoid service disruption. 7) Consider temporarily disabling or replacing the vulnerable widget if feasible, to eliminate the attack vector.