CVE-2025-4944: 
WordPress vulnerability analysis and mitigation

The LA-Studio Element Kit for Elementor plugin for WordPress (versions up to and including 1.5.2) contains a Stored Cross-Site Scripting vulnerability in its Image Compare and Google Maps widgets. The vulnerability exists due to insufficient input sanitization and output escaping on user-supplied attributes. This security issue was discovered and reported on May 29, 2025, and has been assigned CVE-2025-4944 (NVD).

The vulnerability is classified as a Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 Base Score of 6.4 (MEDIUM) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability specifically affects the plugin's Image Compare and Google Maps widgets, where user input is not properly sanitized before being stored and displayed (NVD).

The vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to data theft, session hijacking, or other client-side attacks (NVD).

The vulnerability has been patched in version 1.5.3 of the LA-Studio Element Kit for Elementor plugin. Users are strongly advised to update to this latest version to protect against potential attacks (WordPress Plugin).