CVE-2025-1054: 
WordPress vulnerability analysis and mitigation

The UiCore Elements – Free Elementor widgets and templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting (CVE-2025-1054) via multiple widgets including UI Counter, UI Icon Box, UI Testimonial Slider, UI Testimonial Grid, and UI Testimonial Carousel in versions up to and including 1.0.16. The vulnerability was discovered and disclosed on April 23, 2025 (NVD).

The vulnerability stems from insufficient input sanitization and output escaping in multiple widget components. This security flaw allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts into pages. The vulnerability has been assigned a CVSS v3.1 base score of 6.4 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) (NVD, Wordfence).

When exploited, this vulnerability allows attackers to inject malicious scripts that execute whenever a user accesses an affected page. This can lead to potential data theft, session hijacking, or other client-side attacks targeting site visitors (NVD).

A patch has been released to address this vulnerability. Site administrators should update the UiCore Elements plugin to a version newer than 1.0.16 (WordPress Plugin).