CVE-2025-7960 is a stored Cross-Site Scripting (XSS) vulnerability identified in the King Addons for Elementor plugin, a popular WordPress extension that provides over 4,000 Elementor sections, 650 templates, and 70+ widgets. The vulnerability specifically affects the Pricing Slider, Pricing Calculator, and Image Accordion widgets due to insufficient sanitization of user-supplied input and lack of proper output escaping during web page generation. This flaw allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. When other users access these compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, defacement, or unauthorized actions performed with the victim's privileges. The vulnerability is present in all plugin versions up to and including 51.1.39. The CVSS v3.1 base score is 6.4, reflecting medium severity, with an attack vector of network (remote), low attack complexity, requiring privileges (contributor or above), no user interaction, and scope change indicating impact beyond the vulnerable component. No public exploits have been reported yet, but the risk remains significant due to the widespread use of WordPress and Elementor in website development. The vulnerability impacts confidentiality and integrity but not availability. The lack of output escaping and input validation represents a common CWE-79 weakness, emphasizing the importance of secure coding practices in plugin development. Organizations relying on this plugin should monitor for updates and consider interim mitigations to prevent exploitation.

For European organizations, this vulnerability poses a moderate risk primarily to the confidentiality and integrity of web applications using the King Addons for Elementor plugin. Exploitation could allow attackers with contributor-level access to inject malicious scripts that execute in the context of other users, potentially leading to session hijacking, theft of sensitive information, unauthorized actions, or defacement of websites. This can damage organizational reputation, lead to data breaches, and disrupt business operations. Since WordPress powers a significant portion of European websites, including corporate, governmental, and e-commerce sites, the impact can be widespread. Organizations with multiple contributors or editors on their WordPress sites are particularly vulnerable. The vulnerability does not affect availability directly but can be leveraged as a stepping stone for further attacks. Compliance with data protection regulations such as GDPR may be impacted if personal data is compromised through this vulnerability. The medium severity score indicates that while exploitation requires some privileges, the potential damage to confidentiality and integrity is non-trivial.

1. Monitor the King Addons for Elementor plugin vendor announcements and apply security patches immediately once released to address CVE-2025-7960. 2. Until a patch is available, restrict contributor-level access to trusted users only and review user permissions to minimize the number of users who can inject content. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the affected widgets, focusing on script injection attempts. 4. Conduct regular security audits and code reviews of custom Elementor sections or templates to identify and sanitize user inputs properly. 5. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected web pages. 6. Educate content editors and contributors about the risks of injecting untrusted content and enforce strict content validation policies. 7. Consider temporarily disabling or removing the affected widgets (Pricing Slider, Pricing Calculator, Image Accordion) if they are not essential until the vulnerability is patched. 8. Use security plugins that can detect and alert on suspicious activity related to XSS attempts within WordPress environments.