CVE-2025-59592

Vulnerability

Type The vulnerability is a Stored Cross-Site Scripting (XSS) issue in the WordPress plugin Make Column Clickable Elementor, affecting versions up to and including 1.6.0. The root cause is improper neutralization of input during web page generation, allowing malicious scripts to be stored and later executed[1].

Exploitation

Exploitation requires a privileged user (e.g., an administrator) to perform an action such as clicking a malicious link or visiting a crafted page. Once triggered, the injected script is executed in the context of other users' browsers when they visit the affected page[1].

Impact

Successful exploitation allows an attacker to inject arbitrary HTML and JavaScript, potentially leading to redirects, advertisements, or other malicious payloads. This can be used for phishing, defacement, or further compromise of the website and its visitors[1].

Mitigation

The vulnerability is present in versions up to 1.6.0. The vendor has released version 1.6.1 which resolves the issue. Users are strongly advised to update immediately. Auto-update for vulnerable plugins can be enabled via Patchstack[1].