CVE-2025-7845 in Stratum Plugin
Summary
by MITRE • 08/01/2025
The Stratum – Elementor Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Advanced Google Maps and Image Hotspot widgets in all versions up to, and including, 1.6.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 08/01/2025
The vulnerability identified as CVE-2025-7845 affects the Stratum – Elementor Widgets plugin for WordPress, specifically targeting the Advanced Google Maps and Image Hotspot widgets. This represents a critical security flaw that undermines the integrity of WordPress sites utilizing this plugin, as it allows for stored cross-site scripting attacks that can persist across user sessions and page views. The vulnerability exists within the plugin's handling of user-supplied input data, where insufficient sanitization and output escaping mechanisms fail to properly validate or encode potentially malicious content before it is stored and subsequently executed.
The technical implementation of this vulnerability stems from the plugin's failure to adequately process user input through proper sanitization filters and output escaping routines. When authenticated users with contributor-level privileges or higher interact with the affected widgets, they can inject malicious scripts through configurable attributes that are then stored within the WordPress database. These stored scripts become part of the page content and execute automatically whenever any user accesses the affected pages, creating a persistent threat vector that can compromise user sessions and potentially exfiltrate sensitive information. The vulnerability manifests through CWE-79, which specifically addresses cross-site scripting flaws where untrusted data is improperly handled during web page generation.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with a means to perform session hijacking, deface websites, steal user credentials, or redirect users to malicious domains. Attackers can leverage this vulnerability to inject malicious JavaScript that can access cookies, localStorage, and other client-side data that may contain session tokens or sensitive user information. The privilege escalation aspect means that even users with relatively low permissions can exploit this weakness, making it particularly dangerous for WordPress installations where multiple users contribute content. This vulnerability aligns with ATT&CK technique T1566.001, which covers the exploitation of web applications through the injection of malicious code into web pages.
Mitigation strategies for CVE-2025-7845 should prioritize immediate plugin updates to versions that address the sanitization and escaping deficiencies. Administrators should implement strict input validation at multiple layers, including server-side filtering and client-side sanitization, to prevent malicious content from being stored in the database. Regular security audits should be conducted to identify other potential injection points within the WordPress ecosystem, and access controls should be carefully monitored to limit the privileges of users who can modify content through widgets. Additionally, implementing content security policies and regular monitoring of user-generated content can help detect and prevent exploitation attempts. The vulnerability underscores the importance of proper input validation and output encoding practices in web application development, particularly for plugins that handle user-supplied data through visual editors and widget interfaces.