CVE-2025-5292 is a stored Cross-Site Scripting (XSS) vulnerability affecting the 'Element Pack Addons for Elementor' WordPress plugin, developed by bdthemes. This plugin provides a suite of ready templates, blocks, widgets, and WooCommerce builder features to enhance Elementor-based websites. The vulnerability arises from improper neutralization of input during web page generation, specifically via the 'marker_content' parameter. In all plugin versions up to and including 5.11.2, insufficient input sanitization and output escaping allow authenticated users with Contributor-level privileges or higher to inject arbitrary JavaScript code into pages. Because this is a stored XSS, the malicious script is saved on the server and executed whenever any user accesses the compromised page. The CVSS 3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, requiring privileges (Contributor or above), no user interaction, and a scope change with limited confidentiality and integrity impact but no availability impact. Exploitation does not require user interaction but does require authenticated access with contributor or higher privileges, which are common roles in WordPress multi-user environments. The vulnerability can lead to session hijacking, privilege escalation, defacement, or distribution of malware through injected scripts. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability was published on May 31, 2025, with the CWE-79 classification indicating improper input neutralization during web page generation.

For European organizations using WordPress websites enhanced with the Element Pack Addons for Elementor plugin, this vulnerability poses a significant risk. Many European businesses, including e-commerce, media, and service providers, rely on WordPress and Elementor for their web presence. An attacker with contributor-level access could inject malicious scripts that execute in the browsers of site visitors or administrators, potentially leading to credential theft, unauthorized actions, or spreading malware. This can damage brand reputation, lead to data breaches involving customer information, and cause regulatory compliance issues under GDPR due to unauthorized data exposure or processing. The scope change in the CVSS vector indicates that the vulnerability affects resources beyond the attacker’s privileges, increasing risk. Since contributor roles are often assigned to content creators or editors, insider threats or compromised accounts could be leveraged to exploit this vulnerability. The lack of user interaction needed means that any visitor to the infected page could be affected silently. Although no known exploits are reported yet, the medium severity and ease of exploitation by authenticated users make it a credible threat vector for European organizations with multi-user WordPress sites.

European organizations should immediately audit their WordPress installations to identify if the Element Pack Addons for Elementor plugin is installed and determine the version in use. Until an official patch is released, organizations should restrict contributor-level access to trusted users only, enforce strong authentication mechanisms including multi-factor authentication, and monitor user activities for suspicious behavior. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the 'marker_content' parameter can provide temporary protection. Content Security Policy (CSP) headers should be configured to limit the execution of unauthorized scripts. Regular backups of website data and code should be maintained to enable quick restoration if an injection occurs. Organizations should also consider disabling or removing the plugin if it is not essential. Once a patch is available, prompt application of updates is critical. Additionally, security teams should conduct thorough scanning for injected scripts and review logs for anomalous contributor activity. User education on phishing and credential security can reduce the risk of account compromise leading to exploitation.