CVE-2025-0321 MEDIUM

CVE-2025-0321: ElementsKit Pro <= 3.7.8 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via url Parameter

Vendor Wpmet

Product ElementsKit Pro

Weakness CWE-79 · XSS

Published January 28, 2025

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

6.4/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The ElementsKit Pro plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 3.7.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Key dates

02Disclosure timeline

January 28, 2025 CVE published

April 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-0321 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2023-20143 Cisco Small Business RV016, RV042, RV042G, RV082 , RV320, and RV325 Routers Cross-Site Scripting Vulnerabilities CVE-2024-54257 WordPress tydskrif theme <= 1.1.3 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2024-2503 Exclusive Addons for Elementor <= 2.6.9.2 - Authenticated(Contributor+) Stored Cross-Site Scripting via Post Grid CVE-2025-48098 WordPress Survey Maker plugin <= 5.1.8.8 - Cross Site Scripting (XSS) vulnerability CVE-2023-27621 WordPress Livestream Notice Plugin <= 1.2.0 is vulnerable to Cross Site Scripting (XSS)