{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-3076", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-03-31T23:12:50.027Z", "datePublished": "2025-06-10T04:23:09.744Z", "dateUpdated": "2026-04-08T16:35:04.765Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:35:04.765Z"}, "affected": [{"vendor": "https://elementor.com/", "product": "Elementor Website Builder Pro", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.29.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018button_text\u2019 parameter in all versions up to, and including, 3.29.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Elementor Pro <= 3.29.0 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0c796ee7-5394-40f3-9158-1a006efbf085?source=cve"}, {"url": "https://elementor.com/pro/changelog/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Tonn"}], "timeline": [{"time": "2025-06-09T16:22:07.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-10T14:43:19.754596Z", "id": "CVE-2025-3076", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-10T14:43:29.802Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-3076", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-10T14:43:19.754596Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-10T14:43:25.172Z"}}], "cna": {"title": "Elementor Pro <= 3.29.0 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Tonn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "https://elementor.com/", "product": "Elementor Website Builder Pro", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.29.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-06-09T16:22:07.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0c796ee7-5394-40f3-9158-1a006efbf085?source=cve"}, {"url": "https://elementor.com/pro/changelog/"}], "descriptions": [{"lang": "en", "value": "The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018button_text\u2019 parameter in all versions up to, and including, 3.29.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:35:04.765Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3076", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:35:04.765Z", "dateReserved": "2025-03-31T23:12:50.027Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-06-10T04:23:09.744Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:elementor:elementor_page_builder:*:*:*:*:pro:wordpress:*:*", "matchCriteriaId": "2A302839-2EA6-470B-9A94-471B4538494F", "versionEndExcluding": "3.29.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018button_text\u2019 parameter in all versions up to, and including, 3.29.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento Elementor Website Builder Pro para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del par\u00e1metro 'button_text' en todas las versiones hasta la 3.29.0 incluida, debido a una depuraci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en las p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-3076", "lastModified": "2025-07-11T17:03:28.547", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-06-10T05:15:22.503", "references": [{"source": "security@wordfence.com", "tags": ["Release Notes"], "url": "https://elementor.com/pro/changelog/"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0c796ee7-5394-40f3-9158-1a006efbf085?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T01:28:36.554077+00:00", "value": {"mitigation_remediation": ["Upgrade Elementor Pro to version 3.30.0 or later to remove the stored XSS vulnerability.", "Limit Contributor\u2011level permissions to only trusted users or eliminate the role where it is not required.", "If an upgrade is not immediately possible, implement a sanitization routine that cleans the button_text field before it is rendered on the page."], "summary": {"action": "Apply Patch", "impact": "Stored Cross-Site Scripting"}, "threat_synthesis": {"affected_systems": "All releases of the Elementor Website Builder Pro plugin for WordPress up to and including version 3.29.0 are affected. Users running these versions are vulnerable regardless of site configuration or additional plugins, as the flaw resides in the core handling of the button_text parameter.", "description_and_impact": "The Elementor Website Builder Pro plugin for WordPress contains a stored cross-site scripting flaw caused by inadequate sanitization of the \u2018button_text\u2019 field. Authenticated users with Contributor level access or higher can inject arbitrary JavaScript that will be persisted in the database and executed whenever a site visitor loads the affected page. The flaw is limited to the execution of injected scripts within the context of the victim\u2019s browser and does not provide attackers with direct server\u2011side privileges or data exposure beyond what the script can obtain client\u2011side.", "risk_and_exploitability": "The vulnerability receives a CVSS score of 6.4, indicating moderate severity. Its EPSS score is below 1%, suggesting a low likelihood of exploitation in the wild at this time. The flaw is not catalogued in the CISA KEV list. Attackers must first authenticate with Contributor privileges or higher, then modify the button_text field to store malicious JavaScript. Once stored, the script executes for any visitor to the page, creating a risk that is limited to those who access the injected content."}}}}, "created": "2026-04-28T01:30:17.925950+00:00", "updated": "2026-04-28T01:30:17.925965+00:00", "vendors": []}