CVE-2025-9978

Vulnerability

The Jeg Kit for Elementor WordPress plugin, in versions prior to 2.7.0, does not properly sanitize SVG file contents when uploaded via the xmlrpc.php endpoint. This lack of input validation allows an attacker to embed malicious JavaScript code within an SVG file that will execute when the file is viewed [1].

Exploitation

To exploit this vulnerability, an attacker must have at minimum Author-level access to the WordPress site. The attacker uploads a crafted SVG file containing JavaScript payload through the XML-RPC interface. Since the plugin fails to filter SVG content, the malicious script is stored and executed in the context of any user who later views the file, such as through a media library preview [1].

Impact

Successful exploitation leads to stored cross-site scripting (XSS), which can be used to perform actions on behalf of the victim, steal session cookies, deface the site, or redirect users to malicious sites. The CVSS v3 score of 6.8 (medium) reflects the need for authenticated access but the potential for widespread harm [1].

Mitigation

The issue is fully patched in version 2.7.0 of Jeg Kit for Elementor. Users running any prior version should update immediately. No workaround is available beyond restricting XML-RPC access or disabling SVG uploads entirely [1].