CVE-2025-7960 is a stored cross-site scripting vulnerability identified in the King Addons for Elementor plugin, a popular WordPress extension that provides over 4,000 Elementor sections, 650+ templates, and 70+ widgets. The vulnerability affects all versions up to and including 51.1.39. It specifically impacts the Pricing Slider, Pricing Calculator, and Image Accordion widgets due to improper neutralization of user-supplied input during web page generation. The root cause is insufficient input sanitization and lack of proper output escaping, which allows authenticated users with contributor-level access or higher to inject arbitrary JavaScript code into pages. When other users visit these pages, the injected scripts execute in their browsers, potentially enabling session hijacking, privilege escalation, defacement, or other malicious activities. The vulnerability requires no user interaction beyond page access and does not require higher privileges than contributor, making it a significant risk in environments where contributors can publish or edit content. The CVSS v3.1 base score is 6.4, reflecting network attack vector, low attack complexity, privileges required (low), no user interaction, and impact on confidentiality and integrity but not availability. No public exploits have been reported yet, but the vulnerability is publicly disclosed and should be addressed promptly. The plugin vendor has not yet published patches, so mitigation currently relies on access control and manual input validation.

The impact of CVE-2025-7960 is primarily on the confidentiality and integrity of affected WordPress sites using the King Addons for Elementor plugin. Successful exploitation allows an attacker with contributor-level access to inject persistent malicious scripts that execute in the browsers of site visitors and administrators. This can lead to theft of session cookies, enabling account takeover, unauthorized actions performed on behalf of users, defacement of website content, and potential distribution of malware. Since contributors are often trusted users, the attack surface includes many legitimate users who can edit content, increasing the risk of exploitation. The vulnerability does not affect availability directly but can cause reputational damage and loss of user trust. Organizations relying on this plugin for their web presence, especially those with multiple contributors or editors, face increased risk of compromise. The widespread use of WordPress and Elementor, particularly in small to medium businesses, blogs, and e-commerce sites, means the scope of affected systems is large globally. Without timely remediation, attackers could leverage this vulnerability to establish persistent footholds and conduct further attacks within compromised environments.

1. Immediately restrict contributor-level user privileges to trusted individuals and review existing contributor accounts for suspicious activity. 2. Monitor and audit content changes in the affected widgets (Pricing Slider, Pricing Calculator, Image Accordion) for unauthorized script injections. 3. Implement web application firewall (WAF) rules to detect and block malicious script payloads targeting these widgets. 4. Apply manual input validation and output encoding in custom code or overrides if possible to sanitize user inputs before rendering. 5. Regularly update the King Addons for Elementor plugin as soon as the vendor releases a patch addressing this vulnerability. 6. Educate content contributors about safe content editing practices and the risks of injecting untrusted code. 7. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. 8. Conduct periodic security scans and penetration tests focusing on XSS vulnerabilities in WordPress environments. These steps go beyond generic advice by focusing on access control, monitoring, and layered defenses until an official patch is available.