The Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Text Path widget in all versions up to, and including

WORDPRESS

16-12-2025 10:01

CVE-2025-11220 Vulnerabilidad documentada

Sin puntuación

Tags

#wordpress

#site

#plugin

#cross

#web

#elementor

#cross-site

#/elementor(.*)wordpress/iU

#elementor wordpress

#cross-site scripting

#attackers

#authenticated

#arbitrary

#vulnerable

#scripting

#inject

#execute

#attack

#access

Descripción

The Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Text Path widget in all versions up to, and including, 3.33.3 due insufficient neutralization of user-supplied input used build SVG markup inside widget. This makes it possible authenticated attackers, with contributor-level access above, inject arbitrary web scripts pages that will execute whenever a user accesses an injected page.

https://plugins.trac.wordpress.org/changeset/3414494/elementor

https://www.wordfence.com/threat-intel/vulnerabilities/id/1a73c078-ce66-4131-8bd7-6fd48fc9fa84?source=cve

Referencia

Link externo

Ver detalles

Fuente

https://nvd.nist.gov/vuln/detail/CVE-2025-11220

Resultados similares

Coincidentes en almenos en 50% de los tags

16-12-2025 CVE-2025-13741
The Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Ch...
Ver información

16-12-2025 CVE-2025-14002
The WPCOM Member plugin for WordPress is vulnerable to authentication bypass via brute force in...
Ver información