{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14275", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-08T16:22:19.518Z", "datePublished": "2026-01-08T02:21:16.382Z", "dateUpdated": "2026-04-08T17:06:38.583Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:06:38.583Z"}, "affected": [{"vendor": "jegtheme", "product": "Jeg Kit for Elementor \u2013 Powerful Addons for Elementor, Widgets & Templates for WordPress", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.0.1 due to insufficient input sanitization in the countdown widget's redirect functionality. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary JavaScript that will execute when an administrator or other user views the page containing the malicious countdown element."}], "title": "Jeg Elementor Kit <= 3.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8fcb4047-5173-4d10-a4bb-72f1919b9203?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/jeg-elementor-kit/tags/3.0.1/assets/js/elements/countdown.js#L1"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3432624%40jeg-elementor-kit%2Ftrunk&old=3379532%40jeg-elementor-kit%2Ftrunk&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Craig Smith"}], "timeline": [{"time": "2025-12-09T04:36:28.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-07T14:17:03.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-08T16:21:51.958710Z", "id": "CVE-2025-14275", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-08T16:21:58.848Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14275", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-08T16:21:51.958710Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-08T16:21:55.291Z"}}], "cna": {"title": "Jeg Elementor Kit <= 3.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget", "credits": [{"lang": "en", "type": "finder", "value": "Craig Smith"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "jegtheme", "product": "Jeg Kit for Elementor \u2013 Powerful Addons for Elementor, Widgets & Templates for WordPress", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.0.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-09T04:36:28.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-07T14:17:03.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8fcb4047-5173-4d10-a4bb-72f1919b9203?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/jeg-elementor-kit/tags/3.0.1/assets/js/elements/countdown.js#L1"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3432624%40jeg-elementor-kit%2Ftrunk&old=3379532%40jeg-elementor-kit%2Ftrunk&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.0.1 due to insufficient input sanitization in the countdown widget's redirect functionality. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary JavaScript that will execute when an administrator or other user views the page containing the malicious countdown element."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:06:38.583Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14275", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:06:38.583Z", "dateReserved": "2025-12-08T16:22:19.518Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-08T02:21:16.382Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.0.1 due to insufficient input sanitization in the countdown widget's redirect functionality. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary JavaScript that will execute when an administrator or other user views the page containing the malicious countdown element."}, {"lang": "es", "value": "El plugin Jeg Elementor Kit para WordPress es vulnerable a cross-site scripting almacenado en todas las versiones hasta la 3.0.1, inclusive, debido a una sanitizaci\u00f3n de entrada insuficiente en la funcionalidad de redirecci\u00f3n del widget de cuenta regresiva. Esto permite a atacantes autenticados, con acceso de nivel Colaborador o superior, inyectar JavaScript arbitrario que se ejecutar\u00e1 cuando un administrador u otro usuario vea la p\u00e1gina que contiene el elemento de cuenta regresiva malicioso."}], "id": "CVE-2025-14275", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-08T03:15:43.033", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/jeg-elementor-kit/tags/3.0.1/assets/js/elements/countdown.js#L1"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3432624%40jeg-elementor-kit%2Ftrunk&old=3379532%40jeg-elementor-kit%2Ftrunk&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8fcb4047-5173-4d10-a4bb-72f1919b9203?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T16:35:44.545691+00:00", "value": {"mitigation_remediation": ["Upgrade Jeg Elementor Kit to the latest release (version 3.0.2 or newer) once it is available, as that version removes the insecure redirect handling.", "If an update cannot be applied immediately, restrict the Contributor role\u2019s ability to add or edit widgets or disable the Countdown widget so that no user can upload malicious scripts via it.", "Audit existing pages that contain countdown widgets for any unexpected JavaScript and remove it manually if found."], "summary": {"action": "Patch Now", "impact": "Stored Cross\u2011Site Scripting (arbitrary JavaScript execution)"}, "threat_synthesis": {"affected_systems": "All installations that run Jeg Elementor Kit for Elementor \u2013 Powerful Addons for Elementor on WordPress with version 3.0.1 or earlier are vulnerable. The flaw exists in every version of the plugin up to and including 3.0.1; any WordPress site that has this plugin installed and a user who can inject content via the countdown widget is at risk.", "description_and_impact": "The Jeg Elementor Kit plugin for WordPress suffers from a stored Cross\u2011Site Scripting flaw in the countdown widget\u2019s redirect functionality. Because user input is not properly sanitized, an authenticated user with Contributor or higher privilege can inject malicious JavaScript that is saved and later executed automatically when the page containing the countdown element is viewed by any user, including administrators. This flaw is a classic example of a code injection weakness (CWE\u201179), enabling attackers to run arbitrary scripts in the victim\u2019s browser, potentially stealing cookies, session tokens, or modifying page content.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a medium severity, primarily due to the requirement for authenticated access to inject and the local execution context. The EPSS score of <1 percentage point suggests that, as of now, the likelihood of widespread exploitation is very low. However, because the vulnerability allows arbitrary JavaScript execution, a determined attacker who can compromise a Contributor\u2011level account, or force a user with higher privileges to view a maliciously crafted page, could achieve significant damage. The flaw is not listed in CISA\u2019s KEV catalog, so no public exploits are documented yet."}}}}, "created": "2026-01-08T09:47:47.895870+00:00", "updated": "2026-04-21T16:45:15.212920+00:00", "vendors": ["elementor", "elementor$PRODUCT$elementor", "jegtheme", "jegtheme$PRODUCT$jeg_elementor_kit", "wordpress", "wordpress$PRODUCT$wordpress"]}