CVE-2025-6252 is a stored cross-site scripting (XSS) vulnerability categorized under CWE-79, affecting the Qi Addons For Elementor plugin for WordPress in all versions up to and including 1.9.1. The root cause is insufficient input sanitization and output escaping of several parameters, allowing authenticated users with Contributor-level privileges or higher to inject arbitrary JavaScript code into pages generated by the plugin. When other users access these compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the affected WordPress site. The vulnerability requires authentication but no user interaction to exploit, and it affects the confidentiality and integrity of the system without impacting availability. The CVSS v3.1 base score is 6.4, reflecting a medium severity level, with an attack vector of network, low attack complexity, and privileges required at the contributor level. No patches or official fixes have been linked yet, and no known exploits are currently reported in the wild. The vulnerability is significant because WordPress powers a large portion of the web, and the Qi Addons plugin is widely used to extend Elementor page builder functionality, making many websites potentially vulnerable if they have not updated or mitigated this issue.

The primary impact of this vulnerability is the compromise of confidentiality and integrity within affected WordPress sites. Attackers with Contributor-level access can inject malicious scripts that execute in the context of other users, including administrators, potentially leading to session hijacking, theft of sensitive data, unauthorized content modification, or further privilege escalation. This can undermine trust in the affected websites, lead to data breaches, and facilitate broader attacks such as phishing or malware distribution. Since the vulnerability does not affect availability, denial-of-service is unlikely. However, the widespread use of WordPress and the popularity of the Qi Addons plugin mean that many organizations worldwide, including businesses, media outlets, and e-commerce platforms, could be impacted if they do not address this vulnerability promptly. The requirement for authenticated access limits exploitation to insiders or compromised accounts, but this still represents a significant risk, especially in environments with multiple contributors or less stringent access controls.

Organizations should immediately verify if they are using the Qi Addons For Elementor plugin version 1.9.1 or earlier and plan to update to a patched version once available. In the absence of an official patch, administrators should restrict Contributor-level and higher access to trusted users only and review user permissions to minimize the number of users with such privileges. Implementing a Web Application Firewall (WAF) with custom rules to detect and block suspicious script injections targeting the plugin parameters can provide temporary protection. Regularly audit and sanitize content submitted by contributors, and monitor logs for unusual activity indicative of exploitation attempts. Additionally, applying Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting the execution of unauthorized JavaScript. Educating users about the risks of XSS and enforcing strong authentication and session management practices will further reduce the risk of exploitation.