DOM-Based Stored Cross-Site Scripting in ElementsKit Pro for WordPress
CVE-2025-0321

5.4MEDIUM

Key Information:

Vendor: WordPress
Status: Elementskit Pro
Vendor: CVE Published:; 28 January 2025

What is CVE-2025-0321?

The ElementsKit Pro plugin for WordPress is susceptible to a DOM-Based Stored Cross-Site Scripting vulnerability via the ‘url’ parameter. This issue arises from improper input sanitization and output escaping present in all released versions up to 3.7.8. Authenticated users with Contributor-level access or higher can exploit this vulnerability to inject arbitrary web scripts into various pages. Consequently, the injected scripts will execute when a user accesses such pages, potentially compromising user data and site integrity.

Affected Version(s)

ElementsKit Pro * <= 3.7.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wpmet.com/plugin/elementskit/

https://wpmet.com/plugin/elementskit/roadmaps/

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 28, 2025
Vulnerability Reserved
Jan 7, 2025

Credit

Craig Smith