CVE-2025-67951 is a DOM-based Cross-site Scripting (XSS) vulnerability identified in the WPZOOM Addons for Elementor plugin, a popular WordPress extension used to enhance Elementor page builder functionality. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, allowing malicious scripts to be injected and executed within the victim's browser context. This type of XSS is particularly dangerous because it manipulates the Document Object Model (DOM) on the client side, bypassing some traditional server-side input validation mechanisms. The affected versions include all releases up to and including 1.2.10, with no patch currently publicly available. Exploitation typically requires an attacker to craft a malicious URL or web content that, when visited or interacted with by a user, executes arbitrary JavaScript code. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. Although no known exploits are reported in the wild, the vulnerability is publicly disclosed and thus may attract attackers. The plugin is widely used in WordPress sites that utilize Elementor, which is popular among European businesses for website creation and management. The lack of a CVSS score necessitates an independent severity assessment based on impact and exploitability factors.

For European organizations, the impact of this DOM-based XSS vulnerability can be significant. Successful exploitation can compromise user sessions, leading to unauthorized access to sensitive information such as personal data, authentication tokens, or administrative credentials. This threatens confidentiality and integrity of data handled by affected websites. Additionally, attackers could deface websites or redirect users to phishing or malware distribution sites, damaging organizational reputation and trust. Availability could be indirectly affected if the website is taken offline for remediation or due to denial-of-service caused by malicious scripts. Organizations in sectors with high reliance on web presence—such as e-commerce, media, education, and government—face heightened risks. The vulnerability also raises compliance concerns under GDPR, as data breaches involving personal data must be reported and can incur penalties. Since exploitation does not require authentication, any visitor to a compromised site could be targeted, broadening the attack surface.

Immediate mitigation involves monitoring WPZOOM’s official channels for patches addressing this vulnerability and applying updates promptly once released. Until a patch is available, organizations should implement strict Content Security Policies (CSP) to restrict the execution of unauthorized scripts and reduce the risk of XSS exploitation. Input validation and sanitization should be enforced on all user-controllable inputs, especially those reflected in the DOM. Web Application Firewalls (WAFs) can be configured to detect and block common XSS attack patterns targeting this plugin. Security teams should audit websites using WPZOOM Addons for Elementor to identify and remediate any instances of vulnerable versions. User awareness campaigns can help reduce the risk of users clicking on suspicious links. Regular security testing, including automated scanning and manual penetration testing focused on DOM-based XSS, should be integrated into the development lifecycle. Finally, logging and monitoring should be enhanced to detect anomalous activities indicative of exploitation attempts.