CVE-2025-63042

Vulnerability

Overview

The Tutor LMS Elementor Addons plugin for WordPress (versions up to and including 3.0.1) contains a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation. This flaw enables attackers to inject arbitrary HTML and JavaScript code that is stored on the server and executed when other users access the affected pages [1].

Exploitation

Details

Exploitation requires a privileged user (such as an administrator) to perform an action—for example, clicking a malicious link, visiting a crafted page, or submitting a specially crafted form. The attacker must have the ability to supply input that is later rendered without proper sanitization, typically through plugin settings or content fields. No direct unauthenticated access is possible, but the attack can be initiated by a lower-privileged user if they can trick a higher-privileged user into interacting with the malicious payload [1].

Impact

Successful exploitation allows an attacker to inject persistent scripts that execute in the browsers of visitors to the compromised WordPress site. This can be used to redirect users to malicious sites, display unwanted advertisements, steal session cookies, or perform other client-side attacks. The vulnerability is considered medium severity (CVSS 6.5) and has been observed in mass-exploit campaigns targeting WordPress sites [1].

Mitigation

The vulnerability is patched in version 3.0.2 of the plugin. Users are strongly advised to update immediately. For those unable to update, Patchstack recommends enabling auto-updates for vulnerable plugins or consulting with a hosting provider or web developer for assistance [1].