CVE-2025-57999

Vulnerability

Overview

CVE-2025-57999 is a DOM-based Cross-Site Scripting (XSS) vulnerability in the WPKoi Templates for Elementor plugin for WordPress, affecting versions up to and including 3.4.3. The root cause. The root cause is improper neutralization of user input during web page generation, enabling an attacker to inject arbitrary JavaScript into the DOM of a victim's browser [1].

Exploitation

Prerequisites

Exploitation requires user interaction, such as clicking a malicious link or visiting a crafted page. The vulnerability can be initiated by an authenticated user with certain privileges, but successful execution depends on a privileged user performing an action that triggers the injected script [1].

Impact

An attacker exploiting this vulnerability can inject malicious scripts, including redirects, advertisements, or other HTML payloads. These scripts execute when visitors access the affected site, potentially leading to data theft, session hijacking, or defacement [1].

Mitigation

The vulnerability has been patched in version 3.4.4. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. If updating is not possible, contacting a hosting provider or web developer for assistance is recommended [1].