CVE-2025-6244 is a stored Cross-Site Scripting (XSS) vulnerability affecting the WordPress plugin 'Essential Addons for Elementor – Popular Elementor Templates & Widgets' developed by wpdevteam. This vulnerability exists in all versions up to and including 6.1.19. The root cause is improper neutralization of input during web page generation (CWE-79), specifically insufficient input sanitization and output escaping in the 'Calendar' and 'Business Reviews' widget attributes. An authenticated attacker with Contributor-level privileges or higher can exploit this flaw by injecting arbitrary malicious JavaScript code into pages via these widget attributes. Because the malicious script is stored persistently, it executes whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or other malicious actions within the context of the victim's browser session. The CVSS v3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, requiring privileges (Contributor or above), no user interaction, and a scope change. The vulnerability impacts confidentiality and integrity but not availability. No known public exploits have been reported yet, and no official patches are linked in the provided data. This vulnerability is significant because Elementor is a widely used WordPress page builder, and the Essential Addons plugin is popular for extending Elementor's functionality, meaning many websites could be affected if they use this plugin and have users with Contributor-level access or higher.

For European organizations, this vulnerability poses a moderate risk primarily to websites using WordPress with the Essential Addons for Elementor plugin. The impact includes potential theft of user credentials, session tokens, or other sensitive data via injected scripts, which can lead to unauthorized access or data breaches. Since the exploit requires authenticated Contributor-level access, the risk is higher in environments where multiple users have such privileges, including editorial teams or external contributors. The scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the initially compromised component, potentially allowing attackers to escalate privileges or pivot within the web application. This could lead to reputational damage, regulatory non-compliance (e.g., GDPR violations due to data leakage), and operational disruptions. Given the widespread use of WordPress in Europe across sectors such as media, education, and small to medium enterprises, the vulnerability could have broad implications if exploited. However, the absence of known exploits in the wild and the requirement for authenticated access somewhat limit immediate widespread impact.

European organizations should take the following specific actions: 1) Immediately audit WordPress sites to identify installations of the Essential Addons for Elementor plugin and determine the version in use. 2) Restrict Contributor-level and higher privileges to trusted users only, and review user roles to minimize unnecessary elevated access. 3) Implement strict input validation and output encoding on all user-generated content, especially in custom widgets or plugins, to mitigate XSS risks. 4) Monitor website logs and user activity for unusual behavior that could indicate exploitation attempts. 5) Since no official patch is currently linked, consider temporarily disabling or removing the vulnerable widgets ('Calendar' and 'Business Reviews') until a vendor patch is released. 6) Employ Web Application Firewalls (WAFs) with rules targeting common XSS attack patterns to provide an additional layer of defense. 7) Educate content contributors about the risks of injecting untrusted content and enforce secure content management policies. 8) Stay updated with vendor announcements for patches or updates addressing this vulnerability and apply them promptly once available.