CVE-2025-1663: 
WordPress vulnerability analysis and mitigation

The Unlimited Elements For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via several widgets in versions up to and including 1.5.142. This vulnerability was discovered and reported in April 2025, tracked as CVE-2025-1663. The issue affects authenticated users with Contributor-level access and above, allowing them to inject arbitrary web scripts that execute when users access affected pages (NVD).

The vulnerability is classified as a Stored Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 Base Score of 5.4 (Medium) according to NIST, and 6.4 (Medium) according to Wordfence. The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility, low attack complexity, required privileges, user interaction, and potential for limited confidentiality and integrity impacts (NVD).

When exploited, this vulnerability allows authenticated attackers with Contributor-level access or higher to inject malicious web scripts into pages. These scripts will execute whenever any user accesses the compromised pages, potentially leading to unauthorized data access or manipulation of user interactions (NVD).

The vulnerability has been patched in version 1.5.143 of the Unlimited Elements For Elementor plugin. Users are advised to update to this version or later to protect against this security issue (WordPress Plugin).