Medium severity6.4NVD Advisory· Published Jan 8, 2026· Updated Apr 15, 2026

CVE-2025-14275

Description

The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.0.1 due to insufficient input sanitization in the countdown widget's redirect functionality. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary JavaScript that will execute when an administrator or other user views the page containing the malicious countdown element.

Affected products

WordPress/Jeg Elementor Kitinferred
Range: <=3.0.1
Package: https://wordpress.org/plugins/jeg-elementor-kit
Jegtheme/Jeg Elementor Kitllm-fuzzy
Range: <= 3.0.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/browser/jeg-elementor-kit/tags/3.0.1/assets/js/elements/countdown.jsnvd
plugins.trac.wordpress.org/changesetnvd
www.wordfence.com/threat-intel/vulnerabilities/id/8fcb4047-5173-4d10-a4bb-72f1919b9203nvd

News mentions

No linked articles in our index yet.

cvss	0.416
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000