{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-67951", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T10:00:16.552Z", "datePublished": "2025-12-16T08:12:57.750Z", "dateUpdated": "2026-04-28T19:28:19.903Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wpzoom-elementor-addons", "product": "WPZOOM Addons for Elementor", "vendor": "WPZOOM", "versions": [{"changes": [{"at": "1.2.11", "status": "unaffected"}], "lessThanOrEqual": "1.2.10", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Abu Hurayra | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:02:20.476Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPZOOM WPZOOM Addons for Elementor wpzoom-elementor-addons allows DOM-Based XSS.<p>This issue affects WPZOOM Addons for Elementor: from n/a through <= 1.2.10.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPZOOM WPZOOM Addons for Elementor wpzoom-elementor-addons allows DOM-Based XSS.This issue affects WPZOOM Addons for Elementor: from n/a through <= 1.2.10."}], "impacts": [{"capecId": "CAPEC-588", "descriptions": [{"lang": "en", "value": "DOM-Based XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:24.559Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wpzoom-elementor-addons/vulnerability/wordpress-wpzoom-addons-for-elementor-plugin-1-2-10-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress WPZOOM Addons for Elementor plugin <= 1.2.10 - Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-16T15:36:31.181180Z", "id": "CVE-2025-67951", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T19:28:19.903Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-67951", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-16T15:36:31.181180Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-16T15:36:05.613Z"}}], "cna": {"title": "WordPress WPZOOM Addons for Elementor plugin <= 1.2.10 - Cross Site Scripting (XSS) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Abu Hurayra | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-588", "descriptions": [{"lang": "en", "value": "DOM-Based XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "WPZOOM", "product": "WPZOOM Addons for Elementor", "versions": [{"status": "affected", "changes": [{"at": "1.2.11", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.2.10"}], "packageName": "wpzoom-elementor-addons", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:02:20.476Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/wpzoom-elementor-addons/vulnerability/wordpress-wpzoom-addons-for-elementor-plugin-1-2-10-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPZOOM WPZOOM Addons for Elementor wpzoom-elementor-addons allows DOM-Based XSS.This issue affects WPZOOM Addons for Elementor: from n/a through <= 1.2.10.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPZOOM WPZOOM Addons for Elementor wpzoom-elementor-addons allows DOM-Based XSS.<p>This issue affects WPZOOM Addons for Elementor: from n/a through <= 1.2.10.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:24.559Z"}}}, "cveMetadata": {"cveId": "CVE-2025-67951", "state": "PUBLISHED", "dateUpdated": "2026-04-28T19:28:19.903Z", "dateReserved": "2025-12-15T10:00:16.552Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2025-12-16T08:12:57.750Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPZOOM WPZOOM Addons for Elementor wpzoom-elementor-addons allows DOM-Based XSS.This issue affects WPZOOM Addons for Elementor: from n/a through <= 1.2.10."}], "id": "CVE-2025-67951", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-12-16T09:15:59.717", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wpzoom-elementor-addons/vulnerability/wordpress-wpzoom-addons-for-elementor-plugin-1-2-10-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-27T22:26:25.528836+00:00", "value": {"mitigation_remediation": ["Update WPZOOM Addons for Elementor to a release newer than 1.2.10 to apply the vendor patch for the XSS flaw.", "If an immediate update is not feasible, temporarily disable the plugin or remove any content that could be used to inject malicious JavaScript.", "Configure a web application firewall or security plugin to monitor and block execution of unexpected JavaScript payloads on the site."], "summary": {"action": "Apply Patch", "impact": "Client\u2011Side Cross\u2011Site Scripting (DOM\u2011Based XSS)"}, "threat_synthesis": {"affected_systems": "The vulnerability affects WordPress sites that have the WPZOOM Addons for Elementor plugin installed in any version from its initial release through 1.2.10 inclusive. Any instance of the plugin within that version range is susceptible to exploitation.", "description_and_impact": "Improper neutralization of input during web page generation allows DOM\u2011based cross\u2011site scripting in the WPZOOM Addons for Elementor plugin. An attacker could inject malicious JavaScript into a page that users load, leading to data theft, cookie hijacking, defacement or execution of arbitrary code within the context of the site. The flaw is classified as CWE\u201179 and provides a moderate severity risk of 6.5 on the CVSS scale.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a moderate impact, while the EPSS score of less than 1% suggests a currently low probability of exploitation. The flaw is not listed in the CISA KEV catalog. Likely attack vectors involve user\u2011visible parameters or content entered through the plugin\u2019s UI that is rendered via the browser\u2019s DOM, enabling an unauthenticated attacker to supply crafted input to trigger the XSS."}}}}, "created": "2025-12-16T17:09:20.382641+00:00", "updated": "2026-04-27T22:30:14.456818+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpzoom", "wpzoom$PRODUCT$wpzoom_addons_for_elementor"]}