CVE-2025-8564 is a stored Cross-Site Scripting vulnerability identified in the SKT Addons for Elementor plugin for WordPress, maintained by sonalsinha21. This vulnerability arises from improper neutralization of input during web page generation (CWE-79), specifically due to insufficient input sanitization and output escaping of user-supplied attributes in multiple widgets. It affects all plugin versions up to and including 3.7. An attacker with contributor-level or higher privileges can inject arbitrary JavaScript code that is stored persistently within the website content. When any user, including administrators or visitors, accesses the compromised page, the malicious script executes in their browser context. This can lead to theft of authentication cookies, defacement, redirection to malicious sites, or unauthorized actions performed on behalf of the victim. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No public exploits are known at this time, but the vulnerability is publicly disclosed and should be considered a credible risk. The root cause is the plugin's failure to properly sanitize and escape inputs before rendering them in the page DOM, a common issue in web applications that handle user-generated content. Given the widespread use of WordPress and Elementor, and the popularity of SKT Addons, this vulnerability could be leveraged in targeted attacks or automated campaigns if weaponized.

The impact of CVE-2025-8564 is significant for organizations running WordPress sites with the SKT Addons for Elementor plugin. Successful exploitation allows attackers with contributor-level access to inject persistent malicious scripts, which execute in the browsers of site visitors and administrators. This can lead to credential theft, session hijacking, unauthorized administrative actions, defacement, or distribution of malware. The compromise of administrative accounts can further escalate to full site takeover, data breaches, or use of the site as a launchpad for attacks on visitors. Since contributor-level access is often granted to content creators or third parties, the risk of insider threats or compromised accounts is elevated. The vulnerability undermines the confidentiality and integrity of site data and user sessions, though it does not directly affect availability. Organizations relying on this plugin for critical web presence or e-commerce may suffer reputational damage, financial loss, and regulatory consequences if exploited. The medium CVSS score reflects the need for timely remediation, especially in environments with multiple contributors or high traffic.

To mitigate CVE-2025-8564, organizations should immediately upgrade the SKT Addons for Elementor plugin to a patched version once available. Until a patch is released, restrict contributor-level and higher privileges to trusted users only, minimizing the risk of malicious script injection. Implement additional input validation and output encoding at the application or web server level, such as using a Web Application Firewall (WAF) with custom rules to detect and block suspicious payloads targeting the vulnerable widgets. Regularly audit user-generated content for injected scripts and monitor logs for unusual activity. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Educate content contributors about safe input practices and the risks of XSS. Finally, maintain up-to-date backups and incident response plans to quickly recover from potential compromises.