CVE-2025-3106

Vulnerability

The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in the Table of Contents widget. The vulnerability exists in all versions up to and including 1.4.9 due to insufficient input sanitization and output escaping on user-supplied attributes. Authenticated users with contributor-level access or above can inject arbitrary web scripts that execute when any user visits the affected page [1].

Exploitation

An attacker must have a WordPress account with at least the Contributor role (or higher) and be able to create or edit posts/pages using Elementor. The attacker adds the Table of Contents widget to a page or post, then crafts malicious input in the widget's attributes (e.g., the title or other fields). The injected script is stored in the database and rendered unsanitized in the page output. No additional user interaction is required beyond the victim viewing the compromised page [1].

Impact

Successful exploitation allows the attacker to inject arbitrary JavaScript or HTML into the page, executing in the context of any visitor's browser. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The attack is stored (persistent) and affects all users who access the injected page, including administrators [1].

Mitigation

The vulnerability is addressed in version 1.5.0 of the plugin, where the changelog entry states "Fix TOC issue" along with other fixes. Users must update to version 1.5.0 or later. The available references indicate version 1.6.0 is current and further patched. No workaround is provided; using an unpatched version leaves the site vulnerable. The vulnerability is not listed on the CISA KEV at this time [1].