CVE-2025-67951 is a DOM-based Cross-site Scripting vulnerability affecting the WPZOOM Addons for Elementor WordPress plugin, specifically versions up to and including 1.2.10. The vulnerability stems from improper neutralization of user-supplied input during web page generation, which allows malicious actors to inject and execute arbitrary JavaScript code within the context of the victim’s browser. This type of XSS is particularly dangerous because it exploits client-side script execution, potentially bypassing some server-side protections. The attack vector is remote (network accessible), requires low privileges (authenticated user), and user interaction (e.g., clicking a crafted link or visiting a malicious page). The vulnerability’s CVSS 3.1 base score is 6.5, reflecting medium severity with impacts on confidentiality, integrity, and availability. The scope is changed (S:C), meaning the vulnerability can affect resources beyond the initially vulnerable component. Although no known exploits are currently reported in the wild, the widespread use of Elementor and WPZOOM Addons in WordPress sites makes this a relevant threat. The vulnerability could be leveraged to steal session tokens, perform actions on behalf of users, or deliver malware payloads. The lack of an official patch link suggests that remediation may require vendor updates or manual mitigations. The vulnerability was reserved and published in December 2025 by Patchstack, indicating recent discovery and disclosure.

For European organizations, this vulnerability poses a risk to websites and web applications built on WordPress using the WPZOOM Addons for Elementor plugin. Successful exploitation can lead to theft of sensitive user information such as session cookies, enabling account takeover or privilege escalation. It can also facilitate unauthorized actions on affected sites, defacement, or distribution of malware to visitors, damaging reputation and trust. The medium severity score reflects moderate impact, but the changed scope means that attacks could affect multiple users or systems beyond the initial vulnerable component. Organizations in sectors with high reliance on web presence—such as e-commerce, finance, and government—may face operational disruptions or data breaches. Given the requirement for user interaction and low privilege, phishing or social engineering could be used to trigger exploitation. The absence of known exploits in the wild reduces immediate risk but does not eliminate it, especially as threat actors often develop exploits after public disclosure. The impact is heightened in environments where plugin updates are delayed or where security monitoring is insufficient.

1. Monitor WPZOOM and Elementor official channels for security patches addressing CVE-2025-67951 and apply updates promptly once available. 2. Until patches are released, implement strict Content Security Policies (CSP) to restrict execution of unauthorized scripts in browsers. 3. Employ web application firewalls (WAFs) with rules targeting XSS payloads specific to this plugin’s behavior. 4. Conduct thorough input validation and sanitization on all user-supplied data, especially in custom code or integrations involving the plugin. 5. Educate users and administrators about phishing risks and the importance of cautious interaction with links or content that could trigger XSS. 6. Regularly audit WordPress plugins and remove or replace those no longer maintained or with known vulnerabilities. 7. Enable multi-factor authentication (MFA) for administrative accounts to reduce impact of session hijacking. 8. Monitor logs and user activity for anomalies that might indicate exploitation attempts. 9. Consider isolating critical WordPress instances or using containerization to limit potential lateral movement. 10. Backup website data and configurations regularly to enable rapid recovery if compromise occurs.