CVE-2025-8609 identifies a stored Cross-Site Scripting (XSS) vulnerability in the RTMKit Addons for Elementor plugin for WordPress, specifically within the Accordion Block's attributes. This vulnerability stems from improper neutralization of input during web page generation (CWE-79), where user-supplied attributes are not adequately sanitized or escaped before being rendered. As a result, authenticated users with at least contributor-level access can inject arbitrary JavaScript code into pages. When other users access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the context of the victim's session. The vulnerability affects all versions up to and including 1.6.1 of the RTMKit plugin. The CVSS v3.1 base score of 6.4 indicates a medium severity, with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No patches are currently linked, and no known exploits have been reported in the wild, but the risk remains significant due to the widespread use of WordPress and Elementor plugins. The vulnerability's exploitation requires authenticated access, which limits exposure but still poses a threat in environments where contributor-level accounts are common or compromised.

For European organizations, the impact of this vulnerability can be substantial, especially for those relying on WordPress sites with the RTMKit Addons for Elementor plugin installed. Exploitation could allow attackers to execute malicious scripts in the browsers of site visitors or administrators, leading to theft of authentication cookies, defacement of websites, or unauthorized actions performed with the victim's privileges. This can damage organizational reputation, lead to data breaches, and disrupt business operations. Given the medium severity and requirement for contributor-level access, insider threats or compromised accounts pose a notable risk. Organizations with public-facing websites, e-commerce platforms, or portals using this plugin are particularly vulnerable. The cross-site scripting can also be leveraged to deliver further payloads or pivot to more severe attacks, increasing the overall risk profile.

Immediate mitigation steps include restricting contributor-level and higher privileges to trusted users only and auditing existing accounts for suspicious activity. Organizations should monitor their WordPress environments for unusual behavior or injected scripts in pages using the Accordion Block. Until an official patch is released, applying Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the vulnerable attributes can reduce risk. Implementing Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Additionally, developers and administrators should sanitize and escape all user inputs rigorously, especially in custom or third-party plugins. Regularly updating WordPress core, themes, and plugins once patches are available is critical. Security teams should also educate content contributors about the risks of uploading or embedding untrusted content.