CVE-2025-1005
📋 TL;DR
This stored XSS vulnerability in the ElementsKit Elementor addons plugin allows authenticated WordPress users with contributor-level access or higher to inject malicious scripts into pages using the Image Accordion widget. When other users visit the compromised pages, the scripts execute in their browsers, potentially stealing session cookies or performing unauthorized actions. All WordPress sites using ElementsKit up to version 3.4.0 are affected.
💻 Affected Systems
- ElementsKit Elementor addons plugin for WordPress
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, take over the WordPress site, deface pages, redirect visitors to malicious sites, or install backdoors for persistent access.
Likely Case
Malicious contributors or compromised accounts inject scripts that steal user session data, display unwanted content, or redirect users to phishing pages.
If Mitigated
With proper user access controls and content security policies, impact is limited to defacement or minor data leakage from users visiting compromised pages.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once an attacker has contributor privileges.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.4.1 or later
Vendor Advisory: https://wordpress.org/plugins/elementskit-lite/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find ElementsKit and click 'Update Now'. 4. Verify version is 3.4.1 or higher.
🔧 Temporary Workarounds
Disable Image Accordion Widget
allTemporarily disable the vulnerable widget until patching is possible
Implement Content Security Policy
allAdd CSP headers to restrict script execution sources
Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Or add to wp-config.php: header("Content-Security-Policy: default-src 'self'; script-src 'self'");
🧯 If You Can't Patch
- Restrict user roles: Remove contributor access or implement least privilege principles
- Monitor for suspicious content: Regularly review pages and posts for unexpected scripts or iframes
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for ElementsKit version ≤3.4.0Check Version:
wp plugin list --name=elementskit --field=versionVerify Fix Applied:
Confirm ElementsKit version is ≥3.4.1 in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual post/page edits by contributor-level users
- Multiple rapid content modifications
- Suspicious script tags in post_content database entries
Network Indicators:
- Outbound connections to unknown domains from your WordPress site
- Unexpected script loads in page responses
SIEM Query:
source="wordpress.log" AND (event="post_updated" OR event="page_updated") AND user_role="contributor" AND content CONTAINS "<script>"🔗 References
- https://plugins.trac.wordpress.org/browser/elementskit-lite/trunk/modules/layout-manager/assets/js/ekit-layout-library.js
- https://plugins.trac.wordpress.org/changeset?old_path=%2Felementskit-lite&old=3230214&new_path=%2Felementskit-lite&new=3237243&sfp_email=&sfph_mail=
- https://wordpress.org/plugins/elementskit-lite/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/5b74d6aa-ad59-42be-b454-9c27428cab01?source=cve
