CVE-2025-32194

Vulnerability

The vulnerability is a stored cross-site scripting (XSS) in the LA-Studio Element Kit for Elementor plugin (lastudio-element-kit) versions up to and including 1.5.1. The plugin fails to properly neutralize user input during web page generation, allowing attackers to inject arbitrary JavaScript code that gets stored and executed when other users view the affected page. The issue affects all versions from n/a through 1.5.1 [1].

Exploitation

An attacker with contributor-level access or higher (i.e., able to create or edit posts/pages using Elementor) can inject malicious scripts through vulnerable input fields provided by the plugin's widgets. The injected script is stored in the database and executed in the browsers of any user visiting the compromised page, including administrators. No additional user interaction is required beyond viewing the page.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, theft of sensitive data (e.g., cookies, authentication tokens), or further actions such as creating rogue administrator accounts. The impact is limited to the scope of the affected WordPress site and its users.

Mitigation

The vulnerability is fixed in version 1.5.2 and later. Users should update the LA-Studio Element Kit for Elementor plugin to at least version 1.5.2, with the latest version 1.6.0 recommended [1]. No workarounds are documented. If updating is not possible, consider disabling the plugin or restricting contributor access.