Plattform
wordpress
Komponente
elementor
Behoben in
3.29.1
CVE-2025-3075 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Elementor Website Builder plugin for WordPress. This vulnerability allows authenticated attackers, possessing contributor-level access or higher, to inject arbitrary web scripts into pages. The issue stems from insufficient input sanitization and output escaping within the plugin’s 'elementor-element' shortcode, and is only exploitable when 'Element Caching' is enabled on the WordPress site. A fix is available in version 3.30.0.
An attacker exploiting CVE-2025-3075 can inject arbitrary JavaScript code into pages accessible to users with contributor-level access or higher. This injected script executes whenever a user visits the compromised page, enabling the attacker to steal cookies, redirect users to malicious websites, or deface the website. The impact is amplified if the website handles sensitive user data, as attackers could potentially gain access to credentials or other confidential information. The requirement for 'Element Caching' to be enabled narrows the scope, but still represents a significant risk for sites utilizing this feature.
CVE-2025-3075 is currently not listed on KEV or EPSS. The CVSS score of 6.4 (MEDIUM) suggests a moderate likelihood of exploitation. Public proof-of-concept (POC) code may emerge, increasing the risk. Published on 2025-07-29, it's relatively recent, so active exploitation campaigns are not yet confirmed, but should be monitored.
WordPress websites utilizing the Elementor Website Builder plugin, particularly those with 'Element Caching' enabled, are at risk. Shared hosting environments where users have contributor-level access or higher are especially vulnerable, as they provide a potential attack vector for malicious script injection.
• wordpress / composer / npm:
grep -r 'elementor-element shortcode' /var/www/html/wp-content/plugins/elementor/src/• wordpress / composer / npm:
wp plugin list --status=active | grep elementor• wordpress / composer / npm:
wp plugin update elementor• generic web:
Check Elementor plugin version using curl -I <wordpresssiteurl>/wp-content/plugins/elementor/elementor.php and verify it's >= 3.30.0.
disclosure
Exploit-Status
EPSS
0.02% (6% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-3075 is to upgrade the Elementor plugin to version 3.30.0 or later. If immediate upgrading is not feasible, consider disabling 'Element Caching' as this is a prerequisite for exploitation. Implement a Web Application Firewall (WAF) with rules to detect and block suspicious JavaScript injections within Elementor shortcodes. Regularly review user roles and permissions to ensure only necessary access is granted. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload through the 'elementor-element' shortcode and verifying that it is properly sanitized.
Actualice el plugin Elementor a la versión 3.30.0 o posterior para mitigar la vulnerabilidad de XSS. Asegúrese de que 'Element Caching' esté deshabilitado o configurado correctamente para evitar la persistencia de scripts maliciosos. Revise las páginas para eliminar cualquier contenido sospechoso inyectado antes de la actualización.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-3075 is a stored Cross-Site Scripting (XSS) vulnerability in the Elementor Website Builder plugin for WordPress, allowing authenticated attackers to inject scripts.
You are affected if you are using Elementor Website Builder versions 0.0.0–3.29.0 and have 'Element Caching' enabled on your WordPress site, and users have contributor access or higher.
Upgrade the Elementor Website Builder plugin to version 3.30.0 or later. Alternatively, disable 'Element Caching' as a temporary mitigation.
While no public exploits are currently known, the vulnerability's nature suggests a potential for exploitation, so vigilance is advised.
Refer to the official Elementor security advisory for detailed information and updates: [https://elementor.com/security/](https://elementor.com/security/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.