CVE-2025-7845

Vulnerability

Description The Stratum – Elementor Widgets plugin for WordPress, up to and including version 1.6.0, contains a stored cross-site scripting (XSS) vulnerability in the Advanced Google Maps and Image Hotspot widgets [1]. The root cause is insufficient input sanitization and output escaping on user-supplied attributes processed by these widgets, allowing malicious script content to be stored in the database.

Exploitation

Method An authenticated attacker with at least contributor-level access can inject arbitrary web scripts via the vulnerable widget parameters [description]. Once saved, the malicious script executes automatically when any user—including administrators—visits the affected page. No additional user interaction is required for script execution.

Impact

Successful exploitation gives the attacker the ability to execute arbitrary JavaScript in the browser of any visitor to the page where the widget is embedded. This can lead to session hijacking, cookie theft, or forced redirection, among other client-side attacks. Because contributor and higher roles can edit posts or pages, the attack surface includes any published content using these widgets.

Mitigation

The vendor has likely addressed the issue in a version after 1.6.0, though the reference does not explicitly state the patched version [1]. Administrators should update the plugin to the latest available version from the WordPress plugin repository and review all existing widget content for signs of malicious injection.