CVE-2025-49235 is a Stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, affecting the RTMKit Addons for Elementor plugin developed by Rometheme. This vulnerability arises due to improper neutralization of user input during web page generation, allowing malicious scripts to be stored and executed in the context of the affected web application. Specifically, versions up to 1.6.0 of RTMKit Addons for Elementor are vulnerable. The vulnerability enables an attacker with at least low privileges (PR:L) and requiring user interaction (UI:R) to inject malicious JavaScript code that can be executed by other users visiting the compromised pages. The CVSS v3.1 base score is 6.5 (medium severity), with an attack vector of network (AV:N), low attack complexity (AC:L), partial privileges required, and scope changed (S:C), indicating that exploitation can affect resources beyond the initially vulnerable component. The impact includes limited confidentiality, integrity, and availability losses, as the injected scripts can steal session tokens, manipulate page content, or perform actions on behalf of authenticated users. No patches or known exploits in the wild have been reported as of the publication date (June 6, 2025). The vulnerability is particularly relevant for websites using the Elementor page builder with the RTMKit Addons plugin, which is popular among WordPress users for enhanced design capabilities.

For European organizations, this vulnerability poses a significant risk to websites leveraging the Elementor platform with RTMKit Addons, especially those handling sensitive user data or providing critical services. Exploitation could lead to session hijacking, defacement, or unauthorized actions performed by attackers impersonating legitimate users. This can result in reputational damage, loss of customer trust, and potential regulatory non-compliance under GDPR due to data leakage or unauthorized access. E-commerce platforms, government portals, and financial service websites using this plugin are particularly at risk. The scope change in the CVSS vector suggests that the impact could extend beyond the plugin itself, potentially affecting other integrated systems or user accounts. Although no active exploits are currently known, the medium severity and ease of exploitation (low complexity, network accessible) indicate that attackers may develop exploits soon, increasing the urgency for mitigation.

European organizations should immediately audit their WordPress installations to identify the presence of RTMKit Addons for Elementor, particularly versions up to 1.6.0. Since no official patches are currently available, organizations should consider the following specific measures: 1) Temporarily disable or remove the RTMKit Addons plugin until a vendor patch is released. 2) Implement Web Application Firewall (WAF) rules to detect and block typical XSS payloads targeting this plugin. 3) Enforce strict Content Security Policy (CSP) headers to restrict script execution sources and mitigate impact of injected scripts. 4) Conduct thorough input validation and output encoding on any custom code interacting with the plugin or user inputs. 5) Monitor web server logs and application behavior for unusual activities indicative of exploitation attempts. 6) Educate site administrators about the risk and encourage prompt updates once a patch is available. These targeted actions go beyond generic advice by focusing on plugin-specific detection and containment strategies.