CVE-2025-53199

Vulnerability

Overview CVE-2025-53199 is a DOM-Based Cross-Site Scripting (XSS) vulnerability found in the HT Slider For Elementor plugin for WordPress, affecting versions up to and including 1.6.5. The root cause is improper neutralization of user input during web page generation, enabling attackers to inject arbitrary scripts into the DOM. This type of flaw is commonly exploited in mass campaigns targeting WordPress sites [1].

Exploitation

Requirements Successful exploitation requires user interaction, such as clicking a malicious link or visiting a crafted page. An attacker must trick a privileged user (e.g., an administrator) into performing an action that triggers the payload. The vulnerability is classified as DOM-Based, meaning the malicious script executes in the victim's browser when the page processes attacker-controlled input [1].

Impact

An attacker can inject scripts that may redirect users to malicious sites, display advertisements, or steal sensitive information. The CVSS v3 score is 6.5 (Medium), indicating potential for significant but not critical harm. However, the vendor notes low severity and low likelihood of exploitation in typical WordPress environments [1].

Mitigation

The vulnerability is patched in version 1.6.6 of HT Slider For Elementor. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. If updating is not possible, consult a hosting provider or web developer for alternative solutions [1].