CVE-2025-1458 – This stored XSS vulnerability in the Element Pa... (How to Fix)

Q: What is the severity of CVE-2025-1458?

CVE-2025-1458 has a CVSS score of 6.4 (MEDIUM). This stored XSS vulnerability in the Element Pack Addons for Elementor WordPress plugin allows authenticated attackers with Contributor-level access or higher to inject malicious scripts into website pages. These scripts execute whenever users visit the compromised pages, potentially stealing credentials or performing unauthorized actions. All WordPress sites using vulnerable versions of this plugin are affected.

📋 TL;DR

This stored XSS vulnerability in the Element Pack Addons for Elementor WordPress plugin allows authenticated attackers with Contributor-level access or higher to inject malicious scripts into website pages. These scripts execute whenever users visit the compromised pages, potentially stealing credentials or performing unauthorized actions. All WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:

Element Pack Addons for Elementor WordPress plugin

Versions: All versions up to and including 5.10.29

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress with Elementor and Element Pack Addons plugin installed. Contributor-level access or higher needed for exploitation.

📦 What is this software?

Element Pack by Bdthemes

View all CVEs affecting Element Pack →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, deface websites, redirect users to malicious sites, or install backdoors for persistent access.

🟠

Likely Case

Attackers with contributor accounts inject malicious scripts that steal user session cookies or perform unauthorized actions on behalf of users.

🟢

If Mitigated

With proper user access controls and input validation, impact is limited to isolated script execution without privilege escalation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once attacker has contributor-level credentials.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.10.30 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3277466%40bdthemes-element-pack-lite&new=3277466%40bdthemes-element-pack-lite&sfp_email=&sfph_mail=

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Element Pack Addons for Elementor'. 4. Click 'Update Now' if available. 5. If no update shows, download version 5.10.30+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable vulnerable widgets

all

Temporarily disable affected widgets (Dual Button, Creative Button, Image Stack) via Elementor settings

Restrict user roles

all

Temporarily remove Contributor role access or restrict to trusted users only

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to limit script execution
Install web application firewall (WAF) with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Element Pack Addons for Elementor → Version number. If version is 5.10.29 or lower, you are vulnerable.

Check Version:

wp plugin list --name='Element Pack Addons for Elementor' --field=version

Verify Fix Applied:

After updating, verify version shows 5.10.30 or higher in WordPress plugins list.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to Elementor widget endpoints
Suspicious script tags in page content from contributor users

Network Indicators:

Unexpected script loads from WordPress pages
Suspicious outbound connections from user browsers

SIEM Query:

source="wordpress.log" AND ("element-pack" OR "bdthemes") AND (POST OR UPDATE) AND ("button" OR "widget")

📊 Metadata

CVE ID: CVE-2025-1458

CVSS v3 Score: 6.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.04% exploit probability (13.1th percentile)

Published: April 26, 2025

Last Updated: May 6, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-1458, you might also want to check these: