CVE-2025-5290 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Borderless – Elementor Addons and Templates plugin for WordPress, affecting all versions up to and including 1.7.1. The root cause is insufficient sanitization and escaping of the 'title' parameter during web page generation, classified under CWE-79. This flaw allows authenticated users with Contributor-level privileges or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing unauthorized actions within the context of the victim's session. The vulnerability requires authentication but no additional user interaction to trigger. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and privileges required. The scope is changed, indicating that the vulnerability affects resources beyond the attacker’s privileges. No patches or exploits are currently publicly available, but the plugin’s widespread use in WordPress sites makes this a notable risk. The vulnerability highlights the importance of proper input validation and output encoding in plugin development to prevent XSS attacks.

If exploited, this vulnerability can lead to the execution of arbitrary scripts in the browsers of users visiting affected pages, potentially resulting in session hijacking, theft of sensitive information, unauthorized actions on behalf of users, and defacement of websites. Since the attacker needs only Contributor-level access, which is commonly granted in collaborative WordPress environments, the attack surface is significant. The compromise of user sessions can lead to privilege escalation or further infiltration of the website’s backend. This can damage organizational reputation, lead to data breaches, and disrupt normal website operations. The medium severity score reflects that while the impact on confidentiality and integrity is notable, availability is not affected. Organizations relying on this plugin for content presentation or functionality face increased risk of targeted attacks, especially in environments with multiple contributors or editors.

Organizations should immediately upgrade the Borderless – Elementor Addons and Templates plugin to a version that addresses this vulnerability once available. Until a patch is released, restrict Contributor-level access to trusted users only and review user roles to minimize the number of users with such privileges. Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the 'title' parameter. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Conduct regular security audits of WordPress plugins and monitor logs for unusual activities related to page content changes. Educate content editors about the risks of injecting untrusted content and enforce strict input validation policies. Additionally, consider isolating critical administrative functions and enabling multi-factor authentication to reduce the risk of privilege abuse.