CVE-2025-62923

Vulnerability

Overview The vulnerability resides in the 'Marquee Addons for Elementor' plugin by Debuggers Studio, affecting versions up to 3.8.2. The issue is an improper neutralization of input during web page generation, leading to a DOM-based Cross-Site Scripting (XSS) vulnerability. This occurs because user-controlled input is not sanitized before being used in the Document Object Model (DOM) of the page, allowing attackers to inject malicious scripts.

Attack

Vector and Prerequisites Exploitation requires user interaction, such as clicking a malicious link or visiting a crafted page. An attacker must be authenticated with a role that can interact with Elementor widgets (e.g., editor or admin). The vulnerability is triggered when a privileged user performs an action that processes unsanitized input within the plugin's Elementor addons, leading to script execution in the victim's browser.

Impact

Successful exploitation allows an attacker to inject arbitrary HTML and JavaScript into the victim's session. This can result in malicious redirects, defacement, data theft, or other client-side attacks when other users (including visitors) access the affected page. The CVSS v3 score of 6.5 reflects medium severity, primarily due to the need for user interaction and the attacker's required privileges.

Mitigation and

Status The vendor has released version 3.8.3, which resolves the vulnerability. Users are strongly advised to update immediately. For those unable to update, Patchstack reports that the vulnerability is considered low severity and unlikely to be exploited, but updating remains the recommended action. The plugin does not appear on the CISA KEV list as of the publication date [1].