{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11220", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-30T23:12:28.298Z", "datePublished": "2025-12-16T11:15:44.155Z", "dateUpdated": "2026-04-08T16:38:05.769Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:38:05.769Z"}, "affected": [{"vendor": "elemntor", "product": "Elementor Website Builder \u2013 more than just a page builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.33.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Text Path widget in all versions up to, and including, 3.33.3 due to insufficient neutralization of user-supplied input used to build SVG markup inside the widget. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Elementor <= 3.33.3 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Text Path", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1a73c078-ce66-4131-8bd7-6fd48fc9fa84?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3414494/elementor"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Asaf Mozes"}], "timeline": [{"time": "2025-09-30T23:29:19.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-15T22:04:49.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-16T14:49:40.804046Z", "id": "CVE-2025-11220", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-16T14:49:52.645Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11220", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-16T14:49:40.804046Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-16T14:49:48.685Z"}}], "cna": {"title": "Elementor <= 3.33.3 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Text Path", "credits": [{"lang": "en", "type": "finder", "value": "Asaf Mozes"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "elemntor", "product": "Elementor Website Builder \u2013 more than just a page builder", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.33.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-30T23:29:19.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-15T22:04:49.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1a73c078-ce66-4131-8bd7-6fd48fc9fa84?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3414494/elementor"}], "descriptions": [{"lang": "en", "value": "The Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Text Path widget in all versions up to, and including, 3.33.3 due to insufficient neutralization of user-supplied input used to build SVG markup inside the widget. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:38:05.769Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11220", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:38:05.769Z", "dateReserved": "2025-09-30T23:12:28.298Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-16T11:15:44.155Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Text Path widget in all versions up to, and including, 3.33.3 due to insufficient neutralization of user-supplied input used to build SVG markup inside the widget. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-11220", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-16T12:15:45.467", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3414494/elementor"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1a73c078-ce66-4131-8bd7-6fd48fc9fa84?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-27T22:14:24.293917+00:00", "value": {"mitigation_remediation": ["Apply the latest Elementor plugin update (3.33.4 or newer if available) to eliminate the XSS flaw.", "If a patch is not yet available, disable the Text Path widget on all pages or strip user input before rendering SVG to prevent script injection.", "Restrict contributor\u2011level accounts by enforcing least\u2011privilege policies or enabling two\u2011factor authentication, and monitor for suspicious SVG content with a web\u2011application firewall or security plugin."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites that use the Elementor plugin, version 3.33.3 or earlier. The vulnerability is present in all releases up to and including 3.33.3, affecting the Text Path widget of the plugin.", "description_and_impact": "The Elementor plugin contains an insufficient neutralization of user\u2011supplied input used in the Text Path widget. Injected characters are incorporated into SVG markup that is stored in the page content, causing the web browser to execute arbitrary JavaScript whenever a user loads that page. An authenticated user with contributor level or higher can perform the injection. The impact is the execution of client\u2011side script on any visitor to the compromised page.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a medium severity. The EPSS score of less than 1% suggests that current exploitation likelihood is low. The vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires authenticated access with contributor privileges, and the attack vector is via the plugin\u2019s user interface that stores SVG content in the database. Once stored, the data is rendered on all page views, allowing the attacker to affect any site visitor. Overall risk is moderate due to the requirement for contributor access, but the potential for widespread client\u2011side compromise warrants swift action."}}}}, "created": "2025-12-16T17:08:42.616784+00:00", "updated": "2026-04-27T22:15:15.131842+00:00", "vendors": ["elementor", "elementor$PRODUCT$elementor", "wordpress", "wordpress$PRODUCT$wordpress"]}