CVE-2025-1039 in Lenix Leads Collector Plugin
Summary
by MITRE • 02/20/2025
The Lenix Elementor Leads addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a URL form field in all versions up to, and including, 1.8.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/07/2025
The vulnerability identified as CVE-2025-1039 affects the Lenix Elementor Leads addon plugin for WordPress, representing a critical security flaw that exposes websites to persistent cross-site scripting attacks. This vulnerability specifically targets the plugin's handling of URL form fields within its user interface, where inadequate input validation and output sanitization create exploitable entry points for malicious actors. The flaw exists across all versions of the plugin up to and including version 1.8.2, making a substantial user base potentially vulnerable to attack.
The technical nature of this vulnerability stems from the plugin's failure to properly sanitize user-supplied input before storing it in the database and subsequently rendering it on web pages. When attackers submit malicious URLs through the affected form fields, the plugin does not adequately escape or filter the input, allowing script code to be stored and executed whenever legitimate users view pages containing the injected content. This constitutes a classic stored XSS vulnerability, classified under CWE-79 in the Common Weakness Enumeration system, which specifically addresses improper neutralization of input during web page generation.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with the ability to perform various malicious activities including session hijacking, credential theft, data exfiltration, and redirection to malicious sites. Unauthenticated attackers can exploit this vulnerability without requiring any prior access to the WordPress installation, making it particularly dangerous as it can be leveraged by anyone who can submit data through the plugin's interface. The persistent nature of stored XSS means that once the malicious script is injected, it will execute automatically for any user who accesses the affected pages, potentially compromising multiple users over time.
Security professionals should recognize this vulnerability as aligning with ATT&CK technique T1566.001 which covers spearphishing via web applications, and T1584.002 which involves developing capabilities for web application attacks. The vulnerability demonstrates how third-party plugins can create significant security risks for WordPress installations, particularly when they fail to implement proper input validation and output escaping mechanisms. Organizations should immediately update to the latest version of the plugin once available, implement input validation measures, and consider network monitoring to detect potential exploitation attempts. Additionally, administrators should review plugin permissions and implement additional security layers such as web application firewalls to mitigate potential exploitation of this and similar vulnerabilities.