DOM-Based Stored Cross-Site Scripting in ElementsKit Pro for WordPress
CVE-2025-0321
5.4MEDIUM
Summary
The ElementsKit Pro plugin for WordPress is susceptible to a DOM-Based Stored Cross-Site Scripting vulnerability via the ‘url’ parameter. This issue arises from improper input sanitization and output escaping present in all released versions up to 3.7.8. Authenticated users with Contributor-level access or higher can exploit this vulnerability to inject arbitrary web scripts into various pages. Consequently, the injected scripts will execute when a user accesses such pages, potentially compromising user data and site integrity.
Affected Version(s)
ElementsKit Pro * <= 3.7.8
References
CVSS V3.1
Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Craig Smith