Platform
wordpress
Component
elementor
Fixed in
3.33.4
CVE-2025-11220 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Text Path widget in the Elementor Website Builder WordPress plugin. This flaw allows authenticated attackers with contributor-level access or higher to inject malicious web scripts into pages. These scripts execute when a user accesses the compromised page. This affects Elementor versions up to and including 3.33.3. The vulnerability is fixed in version 3.33.4.
CVE-2025-11220 in the Elementor plugin for WordPress affects versions up to and including 3.33.3. It allows for a Stored Cross-Site Scripting (XSS) attack through the plugin's 'Text Path' widget. An authenticated attacker, with contributor-level access or higher, can inject malicious JavaScript code into web pages. This code will execute whenever a user accesses the compromised page, potentially leading to sensitive information theft, identity spoofing, or redirection to malicious websites. The risk is significant, especially for websites with a large user base and user-generated content.
The attack requires the attacker to have authenticated access to the WordPress site with a contributor or higher permission level. The attacker can inject the malicious JavaScript code through the 'Text Path' widget on a page. Once the page is saved and viewed by other users, the script executes in their browsers. The vulnerability lies in the lack of proper validation and escaping of user input when generating the SVG code, allowing the injection of <script> tags or onload attributes that can execute arbitrary code.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
CVSS Vector
The recommended solution is to immediately update the Elementor plugin to version 3.33.4 or higher. This version includes a fix that properly neutralizes user-supplied input used to build the SVG markup within the 'Text Path' widget, preventing the execution of malicious scripts. In the meantime, as a preventative measure, restrict editing access to users with contributor-level permissions or higher, limiting the ability to inject potentially harmful content. Regular website backups are also a good practice to mitigate the impact of any attack.
Update to version 3.33.4, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
XSS (Cross-Site Scripting) is a type of security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users.
In WordPress, the contributor level is a user role that allows editing posts and pages, but not managing the site in general.
You can check your Elementor version by going to 'Plugins' in the WordPress admin dashboard and looking for 'Elementor' in the list.
If you suspect your site has been compromised, you should change all passwords, scan the site for malware, and restore a clean backup.
Yes, it's important to keep WordPress, all plugins, and themes updated, use strong passwords, and enable a web application firewall (WAF).
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.