CVE-2025-22812

Vulnerability

Overview

The News Ticker Widget for Elementor plugin for WordPress versions 1.3.2 and earlier contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw allows an attacker to inject arbitrary HTML and JavaScript code into the widget's output.

Exploitation

Details

An attacker with contributor-level privileges (or higher) can inject malicious script payloads through the widget's settings. When an administrator or other privileged user views the page containing the crafted widget, the injected script executes in their browser session [1]. The attack requires user interaction from the victim, such as visiting the affected page.

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's session. This can be used to perform actions like redirecting visitors to malicious sites, displaying unwanted advertisements, or stealing sensitive information such as cookies or session tokens [1].

Mitigation

The vulnerability has been addressed in version 1.3.3 of the plugin. Users are strongly advised to update immediately. If auto-updates are enabled via Patchstack, the fix will be applied automatically [1]. No workarounds are available.