Plattform
wordpress
Komponente
elementor
Behoben in
3.30.3
CVE-2025-4566 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Elementor Website Builder plugin for WordPress. This flaw allows authenticated attackers with Contributor-level access or higher to inject malicious web scripts into pages, which are executed when a user accesses the compromised page. This vulnerability affects versions up to and including 3.30.2, and is specific to Chrome and Edge browsers. Currently, there is no official patch available to address this issue.
CVE-2025-4566 in the Elementor Website Builder plugin affects versions up to and including 3.30.2, enabling a stored Cross-Site Scripting (XSS) attack. An authenticated attacker with Contributor-level access or higher can inject malicious JavaScript code through the 'data-text' attribute of the 'Text Path' widget. This code will execute every time a user accesses the compromised page. The primary impact is potential identity theft, session cookie stealing, redirection to malicious sites, or modification of page content, compromising website security and integrity. The CVSS score is 6.4, indicating a medium-high risk.
An attacker with Contributor or higher access on a website using Elementor can exploit this vulnerability. The attacker injects malicious JavaScript code into the 'data-text' attribute of the 'Text Path' widget. This code is stored in the website's database and executes every time a user visits the page containing the compromised widget. The execution of the malicious code can allow the attacker to perform actions on behalf of the user, such as stealing confidential information or modifying the website's content. The ease of exploitation is increased by the widespread adoption of Elementor and the relative simplicity of injecting the malicious code.
Exploit-Status
EPSS
0.04% (12% Perzentil)
CISA SSVC
CVSS-Vektor
The immediate solution is to update the Elementor plugin to version 3.30.3 or higher. This update corrects the vulnerability by implementing proper input sanitization and output escaping within the 'Text Path' widget. Additionally, review existing pages for potential malicious code injections, especially those created or edited by users with Contributor or higher privileges. Implementing a Content Security Policy (CSP) can help mitigate the impact of an XSS attack, even if the vulnerability isn't immediately patched. Monitoring server logs for suspicious activity is also a good security practice.
Actualice el plugin Elementor a la versión 3.30.3 o superior para mitigar la vulnerabilidad de XSS. Asegúrese de realizar una copia de seguridad de su sitio web antes de actualizar. Esta actualización aborda la falta de sanitización y escape de salida que permitía la inyección de scripts maliciosos.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
XSS (Cross-Site Scripting) is a type of security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users.
If you use Elementor and have version 3.30.2 or earlier, you are likely affected. Review pages created by users with Contributor privileges or higher for suspicious code.
A Contributor is a user role in WordPress that has limited permissions to publish and edit content.
Yes, updating to version 3.30.3 or higher is the primary solution. However, it's also recommended to review existing pages for potential injections.
A CSP is a security mechanism that allows website administrators to control the resources the browser is allowed to load, helping to prevent XSS attacks.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.