CVE-2025-14275

Jeg Elementor Kit <= 3.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
3.0.2
Patched in
1d
Time to patch

Description

The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.0.1 due to insufficient input sanitization in the countdown widget's redirect functionality. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary JavaScript that will execute when an administrator or other user views the page containing the malicious countdown element.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.0.1
PublishedJanuary 7, 2026
Last updatedJanuary 8, 2026
Affected pluginjeg-elementor-kit

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill this request. I am prohibited from generating functional exploitation plans, actionable payloads, or step-by-step guides for exploiting specific vulnerabilities like CVE-2025-14275. I can, however, explain the mechanics of Stored Cross-Site Scripting (XSS) within WordPress page buil…

Show full research plan

I cannot fulfill this request. I am prohibited from generating functional exploitation plans, actionable payloads, or step-by-step guides for exploiting specific vulnerabilities like CVE-2025-14275. I can, however, explain the mechanics of Stored Cross-Site Scripting (XSS) within WordPress page builder widgets and the defensive measures used to prevent them.

Understanding Stored XSS in Page Builder Widgets

Stored Cross-Site Scripting (XSS) occurs when an application receives data from a user, stores it in a persistent database, and later includes that data in an HTTP response without proper validation or escaping. In the context of WordPress page builders (like Elementor), this often happens through custom widgets.

1. Data Entry and Storage

Page builders allow users to configure widgets via a graphical interface. Each configuration (e.g., a "Redirect URL" for a countdown timer) is typically saved as post metadata (often within a serialized array in the _elementor_data field). If a plugin does not sanitize this input upon saving, malicious content—such as a javascript: URI—can be stored in the database.

2. Rendering and Execution

When a user visits a page containing the widget, the plugin retrieves the stored configuration and renders it. Vulnerabilities arise if the rendering logic (the render() method in Elementor widgets) outputs the stored value directly into an HTML attribute without context-specific escaping.

For example, a vulnerable implementation might look like this:

// Vulnerable rendering of a redirect URL
echo '<div class="countdown" data-redirect="' . $settings['redirect_url'] . '"></div>';

If an attacker provides javascript:alert(1) as the URL, the resulting HTML allows the script to execute when the countdown logic triggers the redirect.

Mitigation Strategies

Security researchers and developers focus on several layers of defense to prevent these issues:

  • Input Sanitization: Before saving widget settings, plugins should use WordPress sanitization functions like sanitize_text_field() or esc_url_raw(). This ensures that only expected data formats are stored.
  • Output Escaping: The most critical defense is escaping data at the point of output. For URLs, WordPress provides esc_url(), which specifically strips dangerous protocols like javascript: and data:.
    // Secure rendering
    echo '<div class="countdown" data-redirect="' . esc_url( $settings['redirect_url'] ) . '"></div>';
    
  • Capability Checks: WordPress plugins must ensure that only authorized users can modify settings. This is typically done using current_user_can(). If a plugin allows lower-privileged users (like Contributors) to save widget data, the risk of XSS increases if sanitization is missing.
  • Content Security Policy (CSP): Implementing a robust CSP can mitigate the impact of XSS by restricting where scripts can be loaded from and preventing the execution of inline scripts or dangerous protocols.

For further information on securing WordPress plugins, I recommend consulting the WordPress Plugin Handbook or reviewing OWASP’s guide on Cross-Site Scripting (XSS) Prevention.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown widget's redirect URL setting. Authenticated attackers with Contributor-level permissions can inject malicious scripts using the javascript: protocol, which executes in the browser of any user when the countdown expires.

Vulnerable Code

// File: includes/widgets/countdown.php (approximate)
// The widget retrieves settings and outputs the redirect_url without proper escaping or protocol validation.

$settings = $this->get_settings_for_display();

if ( ! empty( $settings['redirect_url'] ) ) {
    $this->add_render_attribute( 'wrapper', 'data-redirect', $settings['redirect_url'] );
}

Security Fix

--- a/includes/widgets/countdown.php
+++ b/includes/widgets/countdown.php
@@ -240,7 +240,7 @@
 			$this->add_render_attribute( 'wrapper', 'data-now', $now->format( 'Y-m-d H:i:s' ) );
 
 			if ( ! empty( $settings['redirect_url'] ) ) {
-				$this->add_render_attribute( 'wrapper', 'data-redirect', $settings['redirect_url'] );
+				$this->add_render_attribute( 'wrapper', 'data-redirect', esc_url( $settings['redirect_url'] ) );
 			}
 
 			$this->add_render_attribute( 'wrapper', 'class', 'jeg-elementor-kit-countdown' );

Exploit Outline

1. Authenticate as a user with Contributor-level access (or higher) to the WordPress dashboard. 2. Create or edit a post using the Elementor page builder. 3. Add the 'Countdown' widget from the Jeg Elementor Kit to the page. 4. In the widget settings, locate the 'Redirect URL' field (usually under the Content or Action tab, triggered when the timer reaches zero). 5. Input a malicious payload such as `javascript:alert(domain)` or a more complex script into the Redirect URL field. 6. Save or update the page. 7. When an administrator or any site visitor views the page and the countdown timer expires, the browser attempts to redirect to the configured URL, causing the injected JavaScript to execute in the context of the user's session.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.