CVE-2025-62094

Vulnerability

Overview

The Void Elementor WHMCS Elements For Elementor Page Builder plugin for WordPress (versions <= 2.0.1.2) contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw enables an authenticated attacker with contributor-level privileges or higher to inject malicious scripts into the plugin's output, which are then executed in the browsers of other users visiting the affected pages.

Exploitation

Requirements

Exploitation requires the attacker to have at least a contributor role on the WordPress site, meaning they can create or edit posts. The vulnerability is triggered when a privileged-initiated, meaning a user with the necessary role must perform an action (e.g., submitting a form or clicking a link) to trigger the payload [1]. No special network position is needed beyond standard web access to the WordPress admin interface.

Impact

Successful exploitation allows the attacker to inject arbitrary HTML and JavaScript into the victim's browser session. This can be used to redirect visitors to malicious sites, display unwanted advertisements, steal session cookies, or perform other actions within the security context of the vulnerable site [1]. The CVSS v3 base score of 6.5 reflects the medium severity of this issue.

Mitigation

The vendor has not released a patched version as of the publication date. Users are strongly advised to update the plugin immediately if a fix becomes available. As a workaround, site administrators should restrict contributor-level access to trusted users only and consider using a web application firewall to block common XSS payloads [1].