CVE-2025-8564 is a stored Cross-Site Scripting (XSS) vulnerability affecting the SKT Addons for Elementor WordPress plugin, developed by sonalsinha21. This vulnerability exists in all versions up to and including 3.7 due to improper input sanitization and output escaping on user-supplied attributes within multiple widgets. Specifically, authenticated users with contributor-level access or higher can inject arbitrary JavaScript code into pages generated by the plugin. Because the malicious script is stored persistently, it executes whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or other malicious activities. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS v3.1 base score is 6.4 (medium severity), with an attack vector of network (remote), low attack complexity, requiring privileges (contributor or above), no user interaction needed, and a scope change indicating that the vulnerability affects resources beyond the initially vulnerable component. Confidentiality and integrity impacts are low, while availability is not affected. No known exploits are currently reported in the wild, and no patches have been linked yet. This vulnerability highlights the risk of insufficient input validation in WordPress plugins, especially those that allow content editing by multiple user roles.

For European organizations using WordPress sites with the SKT Addons for Elementor plugin, this vulnerability poses a significant risk. Since contributor-level users can inject malicious scripts, attackers who gain such access—either through compromised credentials or insider threats—can execute persistent XSS attacks. This can lead to theft of session cookies, unauthorized actions performed on behalf of other users, defacement, or distribution of malware. Given the widespread use of WordPress in Europe for corporate websites, e-commerce, and public sector portals, exploitation could result in reputational damage, data breaches involving personal data protected under GDPR, and potential regulatory penalties. The scope change in the CVSS vector suggests that the vulnerability could impact other components or users beyond the initial plugin context, increasing the risk of lateral movement or broader compromise within the web application. Although no availability impact is noted, the confidentiality and integrity impacts, even if low, are critical in environments handling sensitive or regulated data. The lack of current known exploits provides a window for mitigation, but the medium severity and ease of exploitation by authenticated users necessitate prompt action.

European organizations should take immediate steps to mitigate this vulnerability beyond generic patching advice. First, restrict contributor-level access strictly to trusted users and review existing user roles and permissions to minimize the number of users who can inject content. Implement Web Application Firewall (WAF) rules that detect and block typical XSS payloads targeting the SKT Addons for Elementor plugin widgets. Conduct thorough code reviews and input validation audits on all user-supplied content fields within the plugin's widgets. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected sites. Monitor logs for unusual activity indicative of attempted XSS exploitation, such as unexpected script tags or suspicious POST requests. Until an official patch is released, consider disabling or removing the SKT Addons for Elementor plugin if feasible, or isolating it in a staging environment. Educate content contributors about the risks of injecting untrusted code and enforce strict content submission guidelines. Finally, maintain an incident response plan tailored to web application attacks to quickly respond to any exploitation attempts.