CVE-2025-4944 is a stored Cross-Site Scripting (XSS) vulnerability affecting the LA-Studio Element Kit for Elementor WordPress plugin, developed by choijun. This vulnerability exists in all versions up to and including 1.5.2 of the plugin. The flaw arises due to improper neutralization of input during web page generation (CWE-79), specifically insufficient input sanitization and output escaping on user-supplied attributes within the plugin's Image Compare and Google Maps widgets. An authenticated attacker with contributor-level privileges or higher can exploit this vulnerability by injecting arbitrary malicious scripts into pages. These scripts are then stored and executed whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or other malicious actions. The vulnerability has a CVSS v3.1 base score of 6.4, indicating a medium severity level. The attack vector is network-based, requiring low attack complexity, and privileges at the contributor level, but does not require user interaction. The scope is changed, meaning the vulnerability can affect resources beyond the initially compromised component. No known exploits in the wild have been reported yet, and no patches are currently linked, suggesting that mitigation may require manual intervention or updates once available. This vulnerability is particularly critical in environments where multiple users with varying privilege levels interact with WordPress sites using this plugin, as it allows relatively low-privileged users to inject persistent scripts that affect other users, including administrators.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of web applications using the LA-Studio Element Kit for Elementor plugin. Since WordPress is widely used across Europe for corporate, governmental, and commercial websites, exploitation could lead to unauthorized access to user sessions, theft of sensitive data, defacement of websites, or distribution of malware to site visitors. The requirement for contributor-level access means that attackers may leverage compromised or insider accounts to escalate their impact. This could undermine trust in affected organizations, lead to regulatory non-compliance under GDPR due to data breaches, and cause operational disruptions. The persistent nature of stored XSS increases the risk as malicious scripts remain active until detected and removed. Given the plugin’s focus on visual widgets (Image Compare and Google Maps), the vulnerability could be exploited in high-visibility areas of websites, amplifying reputational damage. Additionally, the scope change in the CVSS vector suggests that the impact could extend beyond the plugin itself, potentially affecting other components or user sessions across the site.

European organizations should immediately audit their WordPress installations to identify the presence of the LA-Studio Element Kit for Elementor plugin and verify the version in use. Until an official patch is released, the following specific mitigations are recommended: 1) Restrict contributor-level access strictly to trusted users and review user roles and permissions to minimize exposure. 2) Implement Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the vulnerable widgets, focusing on script injection patterns in Image Compare and Google Maps widget inputs. 3) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. 4) Conduct manual code reviews or use security scanning tools to identify and sanitize inputs in the plugin’s widget configurations. 5) Monitor logs and user activity for unusual behavior indicative of exploitation attempts. 6) Educate site administrators and content contributors about the risks of injecting untrusted content. Once a patch is available, prioritize prompt plugin updates and test them in staging environments before deployment. Additionally, consider isolating or temporarily disabling the vulnerable widgets if feasible.