CVE-2025-48244

Vulnerability

Description CVE-2025-48244 is a stored cross-site scripting (XSS) vulnerability in the Exclusive Addons Elementor WordPress plugin, affecting all versions up to and including 2.7.9. The flaw arises from improper neutralization of user-supplied input during web page generation, enabling a privileged user (e.g., editor or admin roles) to inject arbitrary JavaScript or HTML payloads that are stored on the server and later executed in the browsers of visitors [1].

Exploitation

Conditions Exploitation requires an authenticated user with sufficient privileges to submit or edit content using the vulnerable plugin's features. No direct interaction from an administrator is needed for the injection step, but any visitor viewing the compromised page will trigger the payload. The vendor notes that user interaction may be required for the initial access, such as clicking a crafted link or submitting a form, though the stored payload itself executes automatically upon page load [1].

Impact

A successful attack allows the threat actor to execute arbitrary scripts in the context of the victim's browser session. This can be leveraged to steal session cookies, redirect users to malicious sites, display fake advertisements, or deface the website. Given the popularity of Elementor-based sites, this vulnerability is considered a candidate for mass exploitation campaigns targeting thousands of WordPress installations [1].

Mitigation

The vendor has released version 2.7.9.1 which resolves the issue. Users are strongly advised to update immediately. For those unable to update, applying a web application firewall (WAF) rule or consulting a hosting provider for temporary hardening is recommended. Patchstack users can enable auto-updates for vulnerable plugins. Despite the medium CVSS v3 score (5.9), the practical risk is elevated due to the stored nature and ubiquity of the plugin [1].