The LA-Studio Element Kit for Elementor plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability identified as CVE-2025-8360. This vulnerability stems from insufficient sanitization and escaping of user-supplied input within multiple widgets of the plugin, allowing malicious scripts to be stored and executed in the context of the affected website. The flaw affects all versions up to and including 1.5.5.1. An attacker with contributor-level or higher privileges can exploit this by injecting arbitrary JavaScript code into pages generated by the plugin. When other users, including administrators or site visitors, access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, defacement, or further exploitation such as privilege escalation. The vulnerability requires authentication but no user interaction beyond visiting the infected page. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, privileges required, no user interaction, and impacts on confidentiality and integrity with no availability impact. No patches or exploit code are currently publicly available, but the vulnerability is published and should be addressed promptly. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. Given the widespread use of Elementor and its plugins in WordPress sites, this vulnerability poses a significant risk to websites relying on this plugin for content creation and layout.

The primary impact of CVE-2025-8360 is the compromise of confidentiality and integrity of affected WordPress sites using the LA-Studio Element Kit plugin. Exploitation allows attackers to execute arbitrary JavaScript in the context of the website, which can lead to theft of user credentials, session tokens, or other sensitive information. It can also enable attackers to perform actions on behalf of legitimate users, potentially escalating privileges or defacing content. Since the vulnerability requires contributor-level access, attackers must first compromise or have legitimate access to the site, which limits the attack surface but still poses a serious risk especially in environments with multiple contributors or weak access controls. The vulnerability does not impact availability directly but can be leveraged as part of broader attack chains. Organizations with public-facing WordPress sites using this plugin risk reputational damage, data breaches, and loss of user trust if exploited. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate it, as proof-of-concept or weaponized exploits may emerge.

1. Immediate mitigation involves updating the LA-Studio Element Kit for Elementor plugin to a version that addresses this vulnerability once released by the vendor. Since no patch links are currently available, monitor vendor announcements closely. 2. Restrict contributor-level and higher access to trusted users only, and review user permissions regularly to minimize the risk of insider threats or compromised accounts. 3. Implement Web Application Firewall (WAF) rules that detect and block common XSS payloads targeting the plugin’s widgets. 4. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing the site. 5. Conduct regular security audits and code reviews of custom widgets or extensions to ensure proper input validation and output encoding. 6. Educate site administrators and contributors about the risks of XSS and safe content management practices. 7. Monitor site logs and user activity for suspicious behavior indicative of exploitation attempts. 8. Consider disabling or removing the vulnerable plugin if it is not essential to site functionality until a secure version is available.