Platform
wordpress
Component
elementor
Fixed in
3.29.1
CVE-2025-3075 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Elementor Website Builder plugin for WordPress. This vulnerability allows authenticated attackers, possessing contributor-level access or higher, to inject arbitrary web scripts into pages. The issue stems from insufficient input sanitization and output escaping within the plugin’s 'elementor-element' shortcode, and is only exploitable when 'Element Caching' is enabled on the WordPress site. A fix is available in version 3.30.0.
Successful exploitation of CVE-2025-3075 allows an attacker to inject malicious JavaScript code into WordPress pages. When a user visits a page containing the injected script, the script will execute within their browser context. This can lead to various consequences, including session hijacking, credential theft, redirection to malicious websites, and defacement of the website. The requirement for contributor-level access limits the immediate impact, but it expands the potential attack surface compared to vulnerabilities requiring administrator privileges. The 'Element Caching' dependency means that the injected script will be cached and served to all subsequent visitors until the cache is cleared, amplifying the potential blast radius.
CVE-2025-3075 was publicly disclosed on 2025-07-29. No public proof-of-concept (POC) code has been released at the time of writing, but the vulnerability's nature and relatively low access requirements suggest a potential for exploitation. The EPSS score is pending evaluation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-3075 is to upgrade the Elementor Website Builder plugin to version 3.30.0 or later. If upgrading is not immediately feasible, disabling 'Element Caching' within the Elementor settings will prevent the script from being cached and served to other users. As a temporary workaround, consider implementing a Web Application Firewall (WAF) rule to filter requests containing suspicious patterns within the 'elementor-element' shortcode. Regularly review WordPress plugin updates and security advisories to proactively address potential vulnerabilities.
Update the Elementor plugin to version 3.30.0 or later to mitigate the XSS vulnerability. Ensure that 'Element Caching' is disabled or configured correctly to prevent the persistence of malicious scripts. Review pages to remove any suspicious injected content before updating.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-3075 is a stored Cross-Site Scripting (XSS) vulnerability in the Elementor Website Builder plugin for WordPress, allowing authenticated attackers to inject scripts.
You are affected if you are using Elementor Website Builder versions 0.0.0–3.29.0 and have 'Element Caching' enabled on your WordPress site, and users have contributor access or higher.
Upgrade the Elementor Website Builder plugin to version 3.30.0 or later. Alternatively, disable 'Element Caching' as a temporary mitigation.
While no public exploits are currently known, the vulnerability's nature suggests a potential for exploitation, so vigilance is advised.
Refer to the official Elementor security advisory for detailed information and updates: [https://elementor.com/security/](https://elementor.com/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.