CVE-2025-63033

The Make Section & Column Clickable For Elementor plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of input during web page generation. This flaw allows attackers to inject arbitrary HTML and JavaScript code into the plugin's fields, which is then stored and executed when users view the page.

Exploitation requires a user with at least contributor-level privileges to input malicious content through the plugin's interface. The attacker does not need any additional authentication beyond a valid WordPress account with appropriate permissions. Once injected, the malicious script runs in the context of any visitor's browser, potentially leading to further attacks.

An attacker could leverage this vulnerability to perform actions such as redirecting visitors to malicious sites, displaying unauthorized advertisements, or stealing session cookies. The CVSS score of 5.9 indicates medium severity, but the vulnerability is notable for its potential use in mass-exploit campaigns targeting thousands of WordPress sites.

The issue is patched in version 2.4.1 of the plugin. Users are strongly advised to update immediately or enable auto-updates for this plugin. No workarounds have been provided, and the vendor recommends updating as the only complete fix [1].