CVE-2025-8564 is a stored Cross-Site Scripting (XSS) vulnerability affecting the SKT Addons for Elementor plugin for WordPress, developed by sonalsinha21. This vulnerability exists in all versions up to and including 3.7 due to improper input sanitization and insufficient output escaping on user-supplied attributes within multiple widgets. An authenticated attacker with contributor-level privileges or higher can exploit this flaw to inject arbitrary malicious JavaScript code into pages generated by the plugin. When other users access these compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, defacement, or redirection to malicious sites. The vulnerability is classified under CWE-79, which pertains to improper neutralization of input during web page generation. The CVSS v3.1 base score is 6.4 (medium severity), reflecting a network attack vector with low attack complexity, requiring privileges (contributor-level), no user interaction, and impacting confidentiality and integrity with a scope change. No known exploits are currently reported in the wild, and no official patches have been released at the time of publication. The vulnerability affects all versions of the plugin, which is a popular addon for the Elementor page builder in WordPress environments, widely used for creating dynamic web content. The stored nature of the XSS means the malicious payload persists on the server and affects all users viewing the infected content, increasing the risk of widespread impact within affected sites.

For European organizations using WordPress with the SKT Addons for Elementor plugin, this vulnerability poses a significant risk to website integrity and user trust. Exploitation could lead to unauthorized disclosure of sensitive information such as authentication tokens or personal data, undermining confidentiality. Integrity of website content can be compromised through defacement or injection of misleading information. Although availability is not directly affected, reputational damage and potential regulatory consequences under GDPR for data breaches involving personal data could be severe. Since contributor-level access is required, insider threats or compromised contributor accounts could facilitate exploitation. The vulnerability could also be leveraged as a foothold for further attacks within the organization's network or to target site visitors, including customers or employees. Given the widespread use of WordPress in Europe and the popularity of Elementor and its addons, the threat could affect a broad range of sectors including e-commerce, media, education, and government websites.

European organizations should immediately audit their WordPress installations to identify the presence of the SKT Addons for Elementor plugin and verify the version in use. Until an official patch is released, the following mitigations are recommended: 1) Restrict contributor-level access strictly to trusted users and review user permissions regularly to minimize the risk of insider exploitation. 2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block typical XSS payloads targeting the plugin's widgets. 3) Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected sites. 4) Conduct thorough input validation and output encoding in any custom code interacting with the plugin to reduce injection vectors. 5) Monitor website content for unauthorized script injections and unusual user behavior indicative of exploitation. 6) Plan for rapid deployment of patches once available and consider temporary deactivation of the plugin if risk is deemed unacceptable. 7) Educate content contributors about phishing and credential security to prevent account compromise.