CVE-2025-24578 – This DOM-based cross-site scripting (XSS) vulne... (How to Fix)

Q: What is the severity of CVE-2025-24578?

CVE-2025-24578 has a CVSS score of 6.5 (MEDIUM). This DOM-based cross-site scripting (XSS) vulnerability in ElementInvader Addons for Elementor allows attackers to inject malicious scripts into web pages viewed by users. The vulnerability affects WordPress sites using this plugin, potentially compromising user sessions and data. All versions up to 1.3.0 are vulnerable.

📋 TL;DR

This DOM-based cross-site scripting (XSS) vulnerability in ElementInvader Addons for Elementor allows attackers to inject malicious scripts into web pages viewed by users. The vulnerability affects WordPress sites using this plugin, potentially compromising user sessions and data. All versions up to 1.3.0 are vulnerable.

💻 Affected Systems

Products:

ElementInvader Addons for Elementor

Versions: All versions up to and including 1.3.0

Operating Systems: All platforms running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress with Elementor page builder and the vulnerable plugin installed.

📦 What is this software?

Elementinvader Addons For Elementor by Elementinvader

View all CVEs affecting Elementinvader Addons For Elementor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, redirect users to malicious sites, perform actions on behalf of authenticated users, or install malware on visitor browsers.

🟠

Likely Case

Session hijacking, credential theft, defacement of affected pages, or redirection to phishing sites.

🟢

If Mitigated

Limited impact if proper Content Security Policy (CSP) headers are implemented and user input validation is enforced elsewhere.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

DOM-based XSS typically requires user interaction but can be exploited through crafted links or forms.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.1 or later

Vendor Advisory: https://patchstack.com/database/wordpress/plugin/elementinvader-addons-for-elementor/vulnerability/wordpress-elementinvader-addons-for-elementor-plugin-1-3-0-cross-site-scripting-xss-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'ElementInvader Addons for Elementor'. 4. Click 'Update Now' if update available. 5. Alternatively, download latest version from WordPress repository and replace plugin files.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable the ElementInvader Addons for Elementor plugin until patched.

wp plugin deactivate elementinvader-addons-for-elementor

Implement Content Security Policy

all

Add CSP headers to restrict script execution sources.

Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Add to nginx config: add_header Content-Security-Policy "default-src 'self'; script-src 'self'";

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block XSS payloads.
Disable user input fields that trigger the vulnerability if identifiable.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin > Plugins > Installed Plugins for ElementInvader Addons for Elementor version 1.3.0 or earlier.

Check Version:

wp plugin get elementinvader-addons-for-elementor --field=version

Verify Fix Applied:

Verify plugin version is 1.3.1 or later in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual POST/GET requests with script tags or JavaScript payloads to plugin endpoints.
Multiple failed XSS attempts in web server logs.

Network Indicators:

HTTP requests containing <script>, javascript:, or encoded XSS payloads to plugin-specific URLs.

SIEM Query:

source="web_logs" AND (url="*elementinvader*" OR url="*elementor*") AND (message="*<script>*" OR message="*javascript:*")

📊 Metadata

CVE ID: CVE-2025-24578

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

CWE: CWE-79

EPSS Score: 0.08% exploit probability (22.9th percentile)

Published: January 24, 2025

Last Updated: March 6, 2025

🔗 References

https://patchstack.com/database/wordpress/plugin/elementinvader-addons-for-elementor/vulnerability/wordpress-elementinvader-addons-for-elementor-plugin-1-3-0-cross-site-scripting-xss-vulnerability?_s_id=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-24578, you might also want to check these: