CVE-2025-64362

The K Elements WordPress plugin versions before 5.5.0 contain a DOM-Based Cross-Site Scripting (XSS) vulnerability caused by improper neutralization of user-controlled input during web page generation. This means the plugin fails to sanitize or escape data that is processed client-side, allowing malicious scripts to be executed within the browser's DOM environment [1].

The attack vector requires user interaction—a privileged user must click a malicious link, visit a crafted page, or submit a specially crafted form. The vulnerability can be triggered without requiring authentication, making it accessible to unauthenticated attackers. However, successful exploitation depends on enticing a user with elevated privileges to perform the interactive action [1].

If exploited, an attacker can inject arbitrary HTML and JavaScript payloads that execute in the context of the victim's browser session. This could be used to perform actions such as redirecting visitors to malicious sites, displaying unauthorized advertisements, or stealing sensitive session data from authenticated users [1].

The vendor has released version 5.5.0 which addresses the vulnerability. Users are strongly advised to update immediately or enable auto-updates for the plugin. For those unable to update, contacting the hosting provider or a web developer for assistance is recommended [1].