CVE-2025-32189

Vulnerability

A DOM-Based Cross-Site Scripting (XSS) vulnerability exists in the BWD Elementor Addons plugin for WordPress, versions up to and including 4.4.2. The plugin fails to properly neutralize user-supplied input when generating web pages, allowing malicious scripts to be executed in the context of the victim's browser. The vulnerability is triggered via the DOM, meaning the attack payload is processed client-side without being sent to the server.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL or injecting script code into a page that uses the vulnerable plugin. The attacker does not require authentication but must trick a logged-in administrator or user with Elementor editing capabilities into visiting a specially crafted page or clicking a link. The XSS payload is executed when the page is rendered, typically through a widget that processes user input without proper sanitization.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, defacement of the site, theft of sensitive information, or further attacks against other users. The impact is limited to the client-side, but can compromise the integrity and confidentiality of the WordPress site.

Mitigation

As of the publication date (2025-04-04), no patched version has been officially released. Users should update to the latest version of the plugin as soon as a fix becomes available. In the interim, consider disabling the BWD Elementor Addons plugin or restricting its use to trusted administrators. Monitor the WordPress plugin repository for updates [1].