CVE-2025-7960 is a stored Cross-Site Scripting vulnerability identified in the King Addons for Elementor plugin, a popular WordPress extension that provides over 4,000 Elementor sections, 650 templates, and 70+ widgets. The vulnerability specifically affects the Pricing Slider, Pricing Calculator, and Image Accordion widgets due to insufficient sanitization and escaping of user-supplied input attributes. This flaw allows authenticated users with contributor-level access or higher to inject arbitrary JavaScript code into pages. Because the malicious scripts are stored persistently, they execute every time the infected page is viewed by any user, potentially compromising session tokens, redirecting users to malicious sites, or performing actions on behalf of the victim. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges (contributor or above), no user interaction, and scope change. No patches are currently available, and no active exploitation has been reported. The vulnerability stems from CWE-79, indicating improper neutralization of input during web page generation. This issue highlights the risks of insufficient input validation and output encoding in web applications, especially in widely used CMS plugins.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of web applications running WordPress with the King Addons plugin. Attackers with contributor-level access can inject malicious scripts that execute in the context of other users, potentially leading to session hijacking, unauthorized actions, data theft, or defacement. This can damage organizational reputation, lead to regulatory non-compliance (e.g., GDPR breaches if personal data is exposed), and disrupt business operations. Since WordPress is widely used across Europe for corporate websites, e-commerce, and portals, the scope of affected systems is broad. The requirement for contributor-level privileges means that insider threats or compromised accounts are primary attack vectors. The vulnerability does not affect availability directly but can indirectly cause service disruptions through exploitation or remediation activities. The medium CVSS score reflects moderate impact but should not be underestimated given the potential for lateral movement and privilege escalation within compromised sites.

1. Monitor for official patches or updates from King Addons and apply them immediately upon release. 2. Until a patch is available, restrict contributor-level access strictly and audit user roles to minimize the number of users with such privileges. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the affected widgets. 4. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. 5. Conduct regular security reviews and code audits of customizations involving King Addons widgets. 6. Use security plugins that can detect and sanitize stored XSS payloads in WordPress content. 7. Educate content contributors about safe input practices and the risks of injecting untrusted content. 8. Consider temporarily disabling the affected widgets if they are not essential to reduce attack surface. 9. Monitor logs for unusual activity or script injections related to the affected widgets. 10. Backup affected websites regularly to enable quick restoration in case of compromise.