CVE-2025-47476 in Cost Calculator for Elementor Plugin
Summary
by MITRE • 05/07/2025
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in add-ons.org Cost Calculator for Elementor allows DOM-Based XSS. This issue affects Cost Calculator for Elementor: from n/a through 1.3.3.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/07/2025
The vulnerability identified as CVE-2025-47476 represents a critical cross-site scripting flaw within the Cost Calculator for Elementor add-on developed by add-ons.org. This particular weakness falls under the category of DOM-based XSS attacks, where malicious scripts are injected into web pages through manipulation of the Document Object Model rather than traditional server-side input handling mechanisms. The vulnerability specifically impacts versions of the plugin ranging from an unspecified starting point through version 1.3.3, indicating a potentially wide range of affected installations that could be exposed to this security risk.
The technical flaw manifests when the Cost Calculator for Elementor processes user input during web page generation without proper sanitization of potentially malicious content. In DOM-based XSS scenarios, the vulnerability occurs when the application dynamically modifies the DOM structure using untrusted input data, typically through methods like innerHTML, document.write, or similar functions that directly manipulate page content. This allows attackers to inject malicious JavaScript code that executes in the context of the victim's browser session, potentially leading to session hijacking, credential theft, or other malicious activities. The issue stems from inadequate input validation and output encoding practices within the plugin's implementation.
The operational impact of this vulnerability extends beyond simple data corruption or display issues, as it creates a persistent security risk for websites utilizing the affected plugin. Attackers could exploit this weakness by crafting malicious input parameters that, when processed by the calculator, would execute unauthorized scripts in users' browsers. This could result in unauthorized access to user sessions, data exfiltration, or the execution of arbitrary commands on vulnerable systems. The severity is amplified by the fact that the vulnerability affects a widely used Elementor add-on, potentially exposing numerous websites to coordinated attacks. Organizations relying on this plugin for cost estimation and calculation functionalities face significant risk of compromise, particularly in environments where users might interact with the calculator interface.
Mitigation strategies for CVE-2025-47476 should prioritize immediate patching of the affected plugin to version 1.3.4 or later, as this represents the first release that addresses the identified XSS vulnerability. System administrators should conduct comprehensive vulnerability assessments to identify all installations of the affected plugin across their environments, ensuring that no outdated versions remain operational. Additionally, implementing proper input validation and output encoding measures, such as those recommended in CWE-79 and aligned with ATT&CK technique T1059.007 for script injection, can provide defense-in-depth measures. Organizations should also consider implementing Content Security Policies to limit the execution of unauthorized scripts and monitor web application logs for suspicious activities that may indicate exploitation attempts. Regular security audits and vulnerability scanning should be maintained to prevent similar issues from emerging in other components of the web application stack.