CVE-2025-9978

CVE-2025-9978: Jeg Elementor Kit < 2.7.0 - Author+ Stored XSS

Vendor Unknown
Product Jeg Kit for Elementor
Published October 24, 2025
Last update January 9, 2026

CVSS base score

What the vulnerability does

01Description

The Jeg Kit for Elementor WordPress plugin before 2.7.0 does not sanitize SVG file contents when uploaded via xmlrpc.php, leading to a cross site scripting vulnerability.

Key dates

02Disclosure timeline

October 24, 2025 CVE published
January 9, 2026 Record updated