CVE-2025-2944

The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in versions up to and including 2.6.12. The vulnerability resides in the plugin's Video Button and Countdown Widgets, where user-supplied attributes are not properly sanitized or escaped. This allows malicious input to be stored and later executed in the context of a user's browser when they visit a page containing these widgets.

Exploitation requires an authenticated attacker with at least contributor-level access to the WordPress site. The attacker can inject arbitrary web scripts by crafting payloads in widget attributes. The stored payload is triggered when any user, including administrators, accesses the affected page. The plugin's wide range of free and pro widgets, as described in the official plugin page [1], increases the potential attack surface.

The impact includes the ability to execute arbitrary JavaScript in the victim's session, leading to potential session hijacking, defacement, or redirection to malicious sites. The vulnerability has been assigned a CVSS v3 score of 6.4 (Medium), reflecting the need for authentication but the potential for significant harm.

Users should update the plugin to a patched version beyond 2.6.12 as soon as it becomes available. As of the advisory, no workaround has been detailed, but limiting contributor-level access or disabling the affected widgets may reduce risk.