CVE-2025-0321

Published Jan 28, 2025

Last updated 23 days ago

CVSS medium 6.4

Overview

Description: The ElementsKit Pro plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 3.7.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source: security@wordfence.com
NVD status: Analyzed

Risk scores

CVSS 3.1

Type: Primary
Base score: 5.4
Impact score: 2.7
Exploitability score: 2.3
Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Severity: MEDIUM

Weaknesses

security@wordfence.com: CWE-79

Hype score: Not currently trending

CVE-2025-0321 DOM-Based Stored XSS in ElementsKit Pro WordPress Plugin via 'url' Parameter https://t.co/3TLr54BGhe
@VulmonFeeds
28 Jan 2025
10 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:wpmet:elementskit:*:*:*:*:pro:wordpress:*:*",
            "vulnerable": true,
            "matchCriteriaId": "5D57D782-4088-4776-88EF-9F00BE21591C",
            "versionEndExcluding": "3.7.9"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

References