Platform
wordpress
Component
elementor
Fixed in
3.30.3
CVE-2025-4566 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Elementor Website Builder plugin for WordPress. This flaw allows authenticated attackers with Contributor-level access or higher to inject malicious web scripts into pages, which are executed when a user accesses the compromised page. This vulnerability affects versions up to and including 3.30.2, and is specific to Chrome and Edge browsers. Currently, there is no official patch available to address this issue.
CVE-2025-4566 in the Elementor Website Builder plugin affects versions up to and including 3.30.2, enabling a stored Cross-Site Scripting (XSS) attack. An authenticated attacker with Contributor-level access or higher can inject malicious JavaScript code through the 'data-text' attribute of the 'Text Path' widget. This code will execute every time a user accesses the compromised page. The primary impact is potential identity theft, session cookie stealing, redirection to malicious sites, or modification of page content, compromising website security and integrity. The CVSS score is 6.4, indicating a medium-high risk.
An attacker with Contributor or higher access on a website using Elementor can exploit this vulnerability. The attacker injects malicious JavaScript code into the 'data-text' attribute of the 'Text Path' widget. This code is stored in the website's database and executes every time a user visits the page containing the compromised widget. The execution of the malicious code can allow the attacker to perform actions on behalf of the user, such as stealing confidential information or modifying the website's content. The ease of exploitation is increased by the widespread adoption of Elementor and the relative simplicity of injecting the malicious code.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
The immediate solution is to update the Elementor plugin to version 3.30.3 or higher. This update corrects the vulnerability by implementing proper input sanitization and output escaping within the 'Text Path' widget. Additionally, review existing pages for potential malicious code injections, especially those created or edited by users with Contributor or higher privileges. Implementing a Content Security Policy (CSP) can help mitigate the impact of an XSS attack, even if the vulnerability isn't immediately patched. Monitoring server logs for suspicious activity is also a good security practice.
Update the Elementor plugin to version 3.30.3 or higher to mitigate the XSS vulnerability. Ensure you back up your website before updating. This update addresses the lack of sanitization and output escaping that allowed for the injection of malicious scripts.
Vulnerability analysis and critical alerts directly to your inbox.
XSS (Cross-Site Scripting) is a type of security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users.
If you use Elementor and have version 3.30.2 or earlier, you are likely affected. Review pages created by users with Contributor privileges or higher for suspicious code.
A Contributor is a user role in WordPress that has limited permissions to publish and edit content.
Yes, updating to version 3.30.3 or higher is the primary solution. However, it's also recommended to review existing pages for potential injections.
A CSP is a security mechanism that allows website administrators to control the resources the browser is allowed to load, helping to prevent XSS attacks.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.