Overview
CVE-2025-13196 is a MEDIUM severity Stored Cross-Site Scripting (XSS) vulnerability affecting the Element Pack Addons for Elementor plugin for WordPress. This vulnerability allows authenticated attackers with contributor-level access or higher to inject malicious JavaScript code into website pages. Specifically, it exists within the Open Street Map widget functionality.
Technical Details
The vulnerability stems from insufficient input sanitization and output escaping of the marker content parameter within the Open Street Map widget. This widget is part of the Element Pack Addons for Elementor plugin. Attackers can inject malicious scripts into the marker content field. Due to the lack of proper escaping, this script will be stored in the database and executed whenever a user views the page containing the affected Open Street Map widget. This affects all versions up to and including 8.3.4.
The vulnerability is present within the render function responsible for displaying the Open Street Map widget. It fails to adequately sanitize user-supplied attributes, leading to the injection of arbitrary web scripts.
CVSS Analysis
- CVE ID: CVE-2025-13196
- Severity: MEDIUM
- CVSS Score: 5.4
A CVSS score of 5.4 indicates a medium severity vulnerability. While user interaction is required (a user has to visit the page with the injected script), the potential impact is significant. An attacker can potentially hijack user accounts, redirect users to malicious sites, or deface the website.
Possible Impact
Successful exploitation of this vulnerability could have several serious consequences:
- Account Takeover: Attackers could potentially steal administrator or other user credentials by injecting malicious scripts that capture keystrokes or redirect users to phishing pages.
- Website Defacement: Attackers could modify the content of affected pages, displaying malicious messages or images.
- Malware Distribution: Attackers could inject scripts that redirect users to websites hosting malware.
- Data Theft: Attackers could potentially steal sensitive data, depending on the permissions and access levels of the compromised user.
Mitigation and Patch Steps
The recommended mitigation is to update the Element Pack Addons for Elementor plugin to the latest version. The vulnerability is patched in versions greater than 8.3.4.
- Update the Plugin: Navigate to the Plugins section in your WordPress dashboard. Locate the Element Pack Addons for Elementor plugin and update it to the latest available version.
- Verify the Update: After updating, confirm that the plugin version is higher than 8.3.4.
- Review Existing Content: Examine any existing pages using the Open Street Map widget for any suspicious code within the marker content parameter. Remove or sanitize any potentially malicious scripts.
- Implement a Web Application Firewall (WAF): Consider using a WAF to provide an additional layer of protection against XSS attacks.
