CVE-2025-7845 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Stratum – Elementor Widgets plugin for WordPress, specifically within the Advanced Google Maps and Image Hotspot widgets. The root cause is improper neutralization of user-supplied input during web page generation, classified under CWE-79. This vulnerability affects all plugin versions up to and including 1.6.0. The flaw allows authenticated attackers with contributor-level access or higher to inject arbitrary JavaScript code into pages. Because the malicious scripts are stored persistently, they execute whenever any user accesses the infected page, potentially enabling session hijacking, defacement, or redirection to malicious sites. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and privileges required but no user interaction needed. The scope is changed, indicating the vulnerability affects components beyond the initially vulnerable plugin, potentially impacting the confidentiality and integrity of user data. No public exploits are currently known, but the vulnerability's nature makes it a significant risk for websites relying on this plugin. The lack of available patches at the time of publication necessitates immediate risk mitigation through access control and input validation measures.

The primary impact of CVE-2025-7845 is the potential for attackers with contributor-level access to inject persistent malicious scripts into WordPress pages using the Stratum – Elementor Widgets plugin. This can lead to session hijacking, theft of sensitive user information, unauthorized actions performed on behalf of users, and defacement of website content. While availability is not directly affected, the integrity and confidentiality of site data and user sessions are at risk. Organizations running WordPress sites with this plugin installed may suffer reputational damage, loss of user trust, and potential regulatory consequences if user data is compromised. The vulnerability's exploitation could also facilitate further attacks such as phishing or malware distribution. Given the widespread use of WordPress and Elementor-based themes and plugins globally, the scope of affected systems is substantial, especially for content-heavy and interactive websites. The requirement for contributor-level authentication limits exploitation to insiders or compromised accounts, but this access level is common in collaborative environments, increasing the risk.

Organizations should immediately audit user roles and restrict contributor-level access to trusted individuals only, minimizing the risk of malicious script injection. Until an official patch is released, implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the Advanced Google Maps and Image Hotspot widgets. Employ additional input validation and output encoding on all user-supplied data fields related to these widgets to prevent script injection. Regularly monitor website content for unauthorized changes or injected scripts. Encourage users to update the Stratum – Elementor Widgets plugin promptly once a security update is available. Conduct security awareness training for contributors to recognize the risks of injecting untrusted content. Consider disabling or replacing vulnerable widgets if immediate patching is not feasible. Finally, maintain comprehensive backups and incident response plans to recover quickly from any successful exploitation.