CVE-2025-4774 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Premium Addons for Elementor plugin for WordPress, specifically in the Countdown widget's data-countdown attribute. The vulnerability is due to improper neutralization of input during web page generation (CWE-79), where user-supplied input is not adequately sanitized or escaped before being rendered on the page. This flaw allows authenticated users with Contributor-level privileges or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the context of the vulnerable website. The vulnerability affects all versions up to and including 4.11.8 of the plugin. The CVSS v3.1 base score is 6.4, indicating a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No public exploits have been reported yet, but the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple authenticated users. The vulnerability was published on June 10, 2025, and was reserved on May 15, 2025. The lack of patch links suggests that a fix may not yet be available, emphasizing the need for immediate mitigation.

The primary impact of this vulnerability is the potential for attackers with Contributor-level access to inject malicious scripts that execute in the browsers of site visitors or other authenticated users. This can lead to theft of session cookies, defacement, unauthorized actions performed on behalf of users, or distribution of malware. Since the vulnerability affects a widely used WordPress plugin, the scope includes numerous websites globally, especially those relying on the Elementor page builder with this addon. The compromise of user accounts or site integrity can damage organizational reputation, lead to data breaches, and disrupt normal operations. The requirement for authenticated access limits the attack surface but does not eliminate risk, as Contributor-level accounts are common in collaborative content management environments. The scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the initially vulnerable component, potentially impacting the entire site. The absence of known exploits in the wild reduces immediate risk but should not lead to complacency, as attackers may develop exploits rapidly once details are public.

1. Immediately upgrade the Premium Addons for Elementor plugin to a patched version once available from the vendor. Monitor official channels for patch releases. 2. In the interim, restrict Contributor-level and higher privileges to trusted users only, minimizing the risk of malicious script injection. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious payloads targeting the data-countdown attribute or typical XSS patterns. 4. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on the website. 5. Regularly audit user accounts and permissions to ensure no unauthorized privilege escalations. 6. Sanitize and validate all user inputs on the server side, especially those that influence page rendering. 7. Educate site administrators and content contributors about the risks of XSS and safe content practices. 8. Monitor website logs and user reports for unusual activity that may indicate exploitation attempts. 9. Consider temporarily disabling or removing the Countdown widget if it is not essential until a patch is applied.