{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-1054", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-02-04T23:49:36.182Z", "datePublished": "2025-04-23T09:23:38.653Z", "dateUpdated": "2026-04-08T17:26:34.515Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:26:34.515Z"}, "affected": [{"vendor": "uicore", "product": "UiCore Elements \u2013 Free widgets and templates for Elementor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.16", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The UiCore Elements \u2013 Free Elementor widgets and templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the UI Counter, UI Icon Box, UI Testimonial Slider, UI Testimonial Grid, and UI Testimonial Carousel widgets in all versions up to, and including, 1.0.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "UiCore Elements \u2013 Free Elementor widgets and templates <= 1.0.16 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d74e8541-9726-4bc2-9fbd-f6016490e0ea?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3253371/uicore-elements"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Craig Smith"}], "timeline": [{"time": "2025-02-06T00:00:00.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-04-22T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-23T15:34:35.437733Z", "id": "CVE-2025-1054", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T15:40:20.802Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1054", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-23T15:34:35.437733Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T15:35:51.412Z"}}], "cna": {"title": "UiCore Elements \u2013 Free Elementor widgets and templates <= 1.0.16 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets", "credits": [{"lang": "en", "type": "finder", "value": "Craig Smith"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "uicore", "product": "UiCore Elements \u2013 Free widgets and templates for Elementor", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.16"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-02-06T00:00:00.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-04-22T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d74e8541-9726-4bc2-9fbd-f6016490e0ea?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3253371/uicore-elements"}], "descriptions": [{"lang": "en", "value": "The UiCore Elements \u2013 Free Elementor widgets and templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the UI Counter, UI Icon Box, UI Testimonial Slider, UI Testimonial Grid, and UI Testimonial Carousel widgets in all versions up to, and including, 1.0.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:26:34.515Z"}}}, "cveMetadata": {"cveId": "CVE-2025-1054", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:26:34.515Z", "dateReserved": "2025-02-04T23:49:36.182Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-04-23T09:23:38.653Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The UiCore Elements \u2013 Free Elementor widgets and templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the UI Counter, UI Icon Box, UI Testimonial Slider, UI Testimonial Grid, and UI Testimonial Carousel widgets in all versions up to, and including, 1.0.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento UiCore Elements \u2013 Free Elementor widgets and templates para WordPress es vulnerable a Cross-site Scripting almacenado a trav\u00e9s de los widgets Contador de IU, Cuadro de Iconos de IU, Control deslizante de Testimonios de IU, Cuadr\u00edcula de Testimonios de IU y Carrusel de Testimonios de IU en todas las versiones hasta la 1.0.16 incluida, debido a una depuraci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-1054", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-04-23T10:15:15.280", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3253371/uicore-elements"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d74e8541-9726-4bc2-9fbd-f6016490e0ea?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T23:11:47.976834+00:00", "value": {"mitigation_remediation": ["Upgrade the UiCore Elements plugin to the latest version, which contains improved input validation and output escaping.", "If an upgrade is not immediately possible, disable or restrict use of the affected widgets (UI Counter, UI Icon Box, UI Testimonial Slider/Grid/Carousel) until the plugin is patched.", "Audit existing widget content for injected scripts and remove any malicious code; apply a site\u2011wide search and replace to purge stored XSS payloads from the database."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Vendors and products affected include uicore: UiCore Elements \u2013 Free widgets and templates for Elementor, a WordPress plugin distributed via the WordPress.org repository. Any WordPress installation that has the UiCore Elements plugin installed in a version 1.0.16 or earlier is vulnerable, regardless of the WordPress core version.", "description_and_impact": "The vulnerability exists in the UiCore Elements plugin for WordPress, specifically in the UI Counter, UI Icon Box, and various UI Testimonial widgets up to and including version\u202f1.0.16. The underlying issue is insufficient input sanitization and output escaping, which allows an authenticated user with Contributor or higher privileges to inject arbitrary JavaScript into the widget configuration. When an affected page is viewed, the injected script executes in the victim\u2019s browser, enabling the attacker to steal credentials, hijack sessions, deface content, or perform further attacks against the site.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a moderate severity, while the EPSS score of less than 1% signals a low probability of exploitation under normal conditions. The vulnerability is not listed in the CISA KEV catalog, suggesting no current known exploitation. The attack vector is authenticated access: a user who can add or edit widget content\u2014typically a Contributor or higher\u2014must first be authenticated to the WordPress admin area. Once they supply malicious widget code, every visitor to the affected page will trigger the script, giving the attacker broad reach over all site users."}}}}, "created": "2026-04-20T23:15:06.309612+00:00", "updated": "2026-04-20T23:15:06.309623+00:00", "vendors": []}