{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-3614", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-04-14T21:19:40.931Z", "datePublished": "2025-07-24T22:23:36.960Z", "dateUpdated": "2026-04-08T16:37:05.949Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:37:05.949Z"}, "affected": [{"vendor": "roxnor", "product": "ElementsKit Elementor Addons \u2013 Advanced Widgets & Templates Addons for Elementor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.5.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The ElementsKit Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the URL attribute of a custom widget in all versions up to, and including, 3.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "ElementsKit Elementor Addons and Templates <= 3.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Widget", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1627e235-7836-43dc-a3f6-7f79da6ab229?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/elementskit-lite/tags/3.4.8/modules/widget-builder/controls/control-type-url.php#L9"}, {"url": "https://plugins.trac.wordpress.org/browser/elementskit-lite/tags/3.4.8/modules/widget-builder/controls/widget-writer.php#L366"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Hardik Raval"}], "timeline": [{"time": "2025-04-11T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-07-09T14:43:35.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-07-24T09:38:18.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-25T13:31:21.228223Z", "id": "CVE-2025-3614", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-25T13:31:27.312Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-3614", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-25T13:31:21.228223Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-25T13:31:23.767Z"}}], "cna": {"title": "ElementsKit Elementor Addons and Templates <= 3.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Widget", "credits": [{"lang": "en", "type": "finder", "value": "Hardik Raval"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "roxnor", "product": "ElementsKit Elementor Addons \u2013 Advanced Widgets & Templates Addons for Elementor", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.5.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-04-11T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-07-09T14:43:35.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-07-24T09:38:18.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1627e235-7836-43dc-a3f6-7f79da6ab229?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/elementskit-lite/tags/3.4.8/modules/widget-builder/controls/control-type-url.php#L9"}, {"url": "https://plugins.trac.wordpress.org/browser/elementskit-lite/tags/3.4.8/modules/widget-builder/controls/widget-writer.php#L366"}], "descriptions": [{"lang": "en", "value": "The ElementsKit Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the URL attribute of a custom widget in all versions up to, and including, 3.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:37:05.949Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3614", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:37:05.949Z", "dateReserved": "2025-04-14T21:19:40.931Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-07-24T22:23:36.960Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wpmet:elementskit_elementor_addons:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "CDB599F8-DE78-4C29-9599-691464040969", "versionEndExcluding": "3.5.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The ElementsKit Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the URL attribute of a custom widget in all versions up to, and including, 3.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-3614", "lastModified": "2025-07-28T15:07:38.667", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-07-24T23:15:26.453", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/elementskit-lite/tags/3.4.8/modules/widget-builder/controls/control-type-url.php#L9"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/elementskit-lite/tags/3.4.8/modules/widget-builder/controls/widget-writer.php#L366"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1627e235-7836-43dc-a3f6-7f79da6ab229?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T22:23:49.391795+00:00", "value": {"mitigation_remediation": ["Update the ElementsKit Elementor Addons plugin to the latest available version, which resolves the stored XSS flaw in the custom widget URL attribute.", "If an immediate update is not possible, disable or remove custom widgets that allow arbitrary URLs, or restrict Contributor role permissions so they cannot edit these widgets.", "Apply general WordPress security hardening: ensure that all user roles have the minimal permissions required and that plugin and core updates are applied promptly."], "summary": {"action": "Patch Now", "impact": "Stored cross\u2011site scripting"}, "threat_synthesis": {"affected_systems": "The flaw affects the ElementsKit Elementor Addons \u2013 Advanced Widgets & Templates Addons for WordPress plugin, identified as roxnor:ElementsKit Elementor Addons. All versions up to and including 3.5.2 are vulnerable; later releases are not affected.", "description_and_impact": "A stored cross\u2011site scripting flaw exists in the URL attribute of a custom widget in ElementsKit Elementor Addons and Templates. The vulnerability allows contributors and higher\u2011privileged users to inject arbitrary JavaScript that is persisted and executed whenever a page containing the injected widget is accessed. Because the injected code runs in the context of the site\u2019s visitors, an attacker could steal session cookies, deface pages, or redirect users to malicious sites.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a moderate\u2011to\u2011high impact, while the EPSS score of <1% suggests that exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. Attackers must be authenticated with at least Contributor privileges to inject the malicious code, requiring them to log in to the WordPress administrative interface and edit a page or template containing the custom widget. Once injected, the vulnerability turns into a site\u2011wide issue, executing in every visitor\u2019s browser."}}}}, "created": "2026-04-22T22:30:28.829198+00:00", "updated": "2026-04-22T22:30:28.829211+00:00", "vendors": []}