Skip to content
Medium Published: Dec 16, 2025 Modified: Dec 16, 2025

CVE-2025-11220

6.4 CVSS Score Medium
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Export CVE-2025-11220 Data:
Share:
Link copied!

Description

The Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Text Path widget in all versions up to, and including, 3.33.3 due to insufficient neutralization of user-supplied input used to build SVG markup inside the widget. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Details

Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Changed
Confidentiality Low
Integrity Low
Availability None

Weaknesses (CWE)

  • CWE-79

References & External Links

External Resources

NVD Official Record Exploit-DB Search Exploits CVE Details Statistics GitHub PoC / Tools X / Twitter Discussions Google Search More

Related Vulnerabilities

CVE-2000-1205 CVSS 0 Same weakness: CWE-79 CVE-2002-0270 CVSS 0 Same weakness: CWE-79 CVE-2002-1651 CVSS 0 Same weakness: CWE-79 CVE-2002-1700 CVSS 0 Same weakness: CWE-79 CVE-2002-1852 CVSS 0 Same weakness: CWE-79

CVE History Timeline

Dec 16, 2025 12:15 New CVE Received
← Back to CVE Tracker