ElementsKit Lite < 3.5.3 – Contributor+ Stored XSS via Image Comparison Widget | CVE 2025-4479 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Stored Cross-Site Scripting via the plugin image comparison widget's before/after labels due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

elementskit-lite

Fixed in 3.5.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/c2995828-8a3e-400d-9e2b-aba8fd17cf00

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Asaf Mozes

Verified

No

WPVDB ID

e4cf386b-3c9b-48bf-8056-c782d2c867b9

Timeline

Publicly Published

2025-06-18 (about 10 months ago)

Added

2025-06-19 (about 10 months ago)

Last Updated

2025-06-19 (about 10 months ago)

Other

Published

Title

Published

2024-05-14

Title

RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging < 4.23.9 - Reflected Cross-Site Scripting

Published

2022-01-26

Title

Add Subtitle <= 1.1.0 - Contributor+ Stored Cross-Site Scripting

Published

2026-04-22

Title

Contact Form to Any API <= 3.0.3 - Unauthenticated Stored Cross-Site Scripting

Published

2023-01-13

Title

No API Amazon Affiliate < 4.4.0 - Admin+ Stored XSS

Published

2024-12-17

Title

Philantro – Donations and Donor Management < 5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting