Medium severity5.9NVD Advisory· Published Apr 9, 2025· Updated Apr 23, 2026

CVE-2025-32640

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Elementor Ally pojo-accessibility allows Stored XSS.This issue affects Ally: from n/a through <= 3.1.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS vulnerability in Elementor Ally plugin for WordPress allows authenticated attackers to inject malicious scripts via input fields.

Vulnerability

The Elementor Ally plugin (pojo-accessibility) for WordPress versions up to and including 3.1.0 is vulnerable to Stored Cross-Site Scripting (XSS) due to improper neutralization of user-supplied input during web page generation. This allows attackers to inject arbitrary JavaScript that is stored and executed when the page is viewed.

Exploitation

To exploit this vulnerability, an attacker must have at least a role that allows input submission (e.g., Contributor) and craft a payload that bypasses input sanitization. The injected script is stored in the database and executed in the context of the victim's browser when they visit the affected page.

Impact

Successful exploitation results in Stored XSS, enabling the attacker to execute arbitrary JavaScript in the browsers of users who view the compromised page. This can lead to session hijacking, defacement, or redirection to malicious sites, depending on the attacker's payload.

Mitigation

Elementor has released version 4.1.1 of the Ally plugin, which is the latest version as of the reference date and likely includes a fix for this vulnerability. Users are advised to update to version 4.1.1 or later. No workarounds are described in the available reference [1].

References

Ally – Web Accessibility & Usability

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

WordPress/Pojo Accessibilityinferred
Range: <=3.1.0
Package: https://wordpress.org/plugins/pojo-accessibility
WordPress/allyllm-fuzzy
Range: <=3.1.0

Patches

v3.8.0

Release: pojo-accessibility 3.8.0 (next version after vulnerable 3.1.0)

https://plugins.svn.wordpress.org/pojo-accessibilityFixed in 3.8.0via wp-release-tag

commit

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

patchstack.com/database/Wordpress/Plugin/pojo-accessibility/vulnerability/wordpress-one-click-accessibility-plugin-3-1-0-cross-site-scripting-xss-vulnerabilitynvd

News mentions

No linked articles in our index yet.

cvss	0.384
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000