CVE-2025-7845 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Stratum – Elementor Widgets plugin for WordPress, specifically affecting all versions up to and including 1.6.0. This vulnerability arises from improper neutralization of input during web page generation (CWE-79). The issue is located in the plugin's Advanced Google Maps and Image Hotspot widgets, where user-supplied attributes are not sufficiently sanitized or escaped before being rendered on web pages. As a result, an authenticated attacker with contributor-level privileges or higher can inject arbitrary malicious JavaScript code into pages. This malicious code executes in the context of any user who views the compromised page, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress site. The vulnerability does not require user interaction to trigger once the malicious script is stored and viewed. The CVSS v3.1 base score is 6.4, reflecting a medium severity level, with an attack vector of network, low attack complexity, requiring privileges (PR:L), no user interaction, and a scope change. The vulnerability impacts confidentiality and integrity but not availability. No known exploits are currently reported in the wild, and no patches have been linked yet, indicating that mitigation may rely on vendor updates or manual remediation.

For European organizations, this vulnerability poses a significant risk especially for those relying on WordPress websites utilizing the Stratum – Elementor Widgets plugin. The ability for an authenticated contributor to inject persistent malicious scripts can lead to unauthorized data access, theft of user credentials, and manipulation of website content. This can damage organizational reputation, lead to data breaches involving personal data protected under GDPR, and disrupt business operations. Since WordPress is widely used across Europe for corporate, governmental, and e-commerce websites, exploitation could affect a broad range of sectors including finance, healthcare, education, and public administration. The scope change in the vulnerability means that the attacker’s privileges could extend beyond their initial access, potentially compromising higher-privileged accounts or administrative functions. The absence of user interaction for exploitation increases the risk of automated or stealthy attacks. Additionally, the injection of malicious scripts could be used to deliver further malware or conduct phishing campaigns targeting European users.

European organizations should immediately audit their WordPress installations to identify the presence of the Stratum – Elementor Widgets plugin, particularly versions up to 1.6.0. Until an official patch is released, organizations should consider disabling or removing the affected widgets (Advanced Google Maps and Image Hotspot) to eliminate the attack surface. Implementing strict role-based access control to limit contributor-level privileges and above can reduce the risk of exploitation. Web Application Firewalls (WAFs) should be configured to detect and block suspicious input patterns associated with XSS payloads targeting these widgets. Additionally, organizations should enforce Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Regular monitoring of website content for unauthorized script injections and conducting security scans focusing on XSS vulnerabilities are recommended. Once a vendor patch is available, prompt application is critical. Training content editors and contributors on secure input practices can also help mitigate risks related to malicious input.