CVE-2025-58796

Vulnerability

Overview

The Elementor Element Condition plugin for WordPress (versions up to and ele-conditions) versions up to and including 1.0.5 suffers from a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This flaw enables an authenticated attacker with contributor-level privileges or higher to inject arbitrary JavaScript or HTML into the plugin's settings or content fields, which is then stored and executed when other users (including site visitors) view the affected page.

Exploitation

Prerequisites

Exploitation requires a user with at least contributor-level access to the WordPress site. The attacker must be able to save malicious payloads into the plugin's input fields. While user interaction (e.g., clicking a link or visiting a crafted page) is needed to trigger the stored payload, the attack can be initiated by a low-privileged role [1]. The vulnerability is particularly dangerous because it can be used in mass-exploit campaigns targeting thousands of websites simultaneously.

Impact

Successful exploitation allows the attacker to execute arbitrary scripts in the context of the victim's browser session. This can lead to session hijacking, defacement, redirection to malicious sites, or injection of advertisements and other HTML payloads [1]. The stored nature of the XSS means the malicious script persists and affects every visitor to the compromised page, amplifying the potential damage.

Mitigation

The vendor has released version 1.0.7 which resolves the vulnerability. Users are strongly advised to update immediately. For those unable to update, contacting the hosting provider or a web developer for assistance is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1]. The CVSS score of 6.5 (Medium) reflects the need for authenticated access and user interaction, but the real-world risk is elevated due to the prevalence of mass-exploitation campaigns targeting WordPress plugins.