CVE-2025-8195 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the JetWidgets For Elementor plugin for WordPress. This plugin provides additional widgets to enhance Elementor page builder functionality, specifically the Image Comparison and Subscribe widgets. The vulnerability exists due to improper neutralization of user-supplied input during web page generation, where input attributes are neither sufficiently sanitized nor properly escaped before rendering. Authenticated attackers with contributor-level privileges or higher can exploit this by injecting arbitrary JavaScript payloads into pages via these widgets. When other users access the infected pages, the malicious scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing unauthorized actions within the context of the victim’s browser session. The vulnerability affects all versions up to and including 1.0.20. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) indicates network attack vector, low attack complexity, requiring privileges but no user interaction, with a scope change and limited confidentiality and integrity impact but no availability impact. No patches or fixes are currently linked, and no active exploitation has been reported. This vulnerability highlights the risks of insufficient input validation in WordPress plugins, especially those that allow content creation by authenticated users.

The primary impact of this vulnerability is the potential compromise of user confidentiality and integrity within affected WordPress sites. Attackers with contributor or higher privileges can inject persistent malicious scripts that execute in the browsers of any user visiting the compromised pages, including administrators. This can lead to session hijacking, unauthorized actions performed on behalf of users, defacement, phishing, or malware distribution. Since the vulnerability requires authenticated access, it limits exploitation to insiders or compromised accounts, but many WordPress sites allow contributors or editors, increasing the attack surface. The scope change in the CVSS vector means the vulnerability can affect resources beyond the initially compromised component, potentially impacting the entire site. Organizations relying on JetWidgets For Elementor for their website functionality risk reputational damage, data leakage, and unauthorized access if exploited. The absence of known exploits in the wild reduces immediate risk but does not eliminate it, as attackers may develop exploits once the vulnerability becomes widely known.

To mitigate this vulnerability, organizations should first check for updates or patches from the JetMonsters vendor and apply them promptly once available. In the absence of official patches, administrators should restrict contributor-level access and above to only trusted users to reduce the risk of malicious script injection. Implementing a Web Application Firewall (WAF) with rules to detect and block common XSS payloads targeting the affected widgets can provide temporary protection. Site administrators should audit existing pages using the Image Comparison and Subscribe widgets for suspicious scripts and remove any unauthorized content. Additionally, enabling Content Security Policy (CSP) headers can help limit the impact of injected scripts by restricting allowed script sources. Regular security reviews of user-generated content and plugin configurations are recommended. Finally, consider disabling or replacing the vulnerable widgets if immediate patching is not feasible.