CVE-2025-22312

Vulnerability

A DOM-Based Cross-Site Scripting (XSS) vulnerability exists in the Thim Elementor Kit plugin for WordPress, versions from n/a through <= 1.2.9. The plugin fails to properly neutralize user input during web page generation, allowing malicious script injection that executes in the browser's DOM context [1].

Exploitation

An attacker can inject a crafted payload into an input field or URL parameter that is processed by the plugin without proper sanitization. The attacker does not need authentication; any visitor who accesses a page containing the malicious input will trigger the script. The attack vector is network-based, requiring the victim to visit a crafted link or page [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The attacker gains the same level of access as the victim within the WordPress admin interface, potentially compromising sensitive data [1].

Mitigation

The ThimPress team has patched the vulnerability in version 1.4.1, released after 2025-01-07. Users must update the Thim Elementor Kit plugin to version 1.4.1 or later. No workarounds have been disclosed; upgrading is the only reliable mitigation [1].