CVE-2025-48288

Vulnerability

Overview

CVE-2025-48288 describes a Stored Cross-Site Scripting (XSS) vulnerability in the ElementInvader Addons for Elementor plugin for WordPress, affecting versions up to and including 1.3.5. The root cause is improper neutralization of user input during web page generation, allowing a user with certain privileges to inject arbitrary web scripts or HTML that are stored on the server and later executed in the context of other users' browsers [1].

Exploitation

Prerequisites

Exploitation requires a privileged user (e.g., an editor or administrator) to perform an action such as clicking a crafted link or visiting a specially prepared page. While the vulnerability can be initiated by a user with moderate privileges, successful exploitation also depends on a subsequent privileged user interacting with the injected content — the CVSS v3 base score of 6.5 reflects this requirement for user interaction [1].

Impact

An attacker who successfully exploits this vulnerability can inject malicious scripts that execute when other users (including site visitors) access the affected page. Potential impacts include redirecting visitors to malicious sites, serving advertisements, stealing session cookies, or defacing the website [1].

Mitigation

The vulnerability is addressed in version 1.3.6 of the plugin. Users are strongly advised to update immediately. For sites where immediate update is not possible, contacting the hosting provider or a web developer is recommended. Additionally, enabling auto-updates for vulnerable plugins via Patchstack can help protect against this and similar threats [1].