CVE-2025-9703: 
WordPress vulnerability analysis and mitigation

The Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder) WordPress plugin before version 2.5.0 contains a Cross-Site Scripting vulnerability. The vulnerability was discovered on September 15, 2025, and was assigned CVE-2025-9703. The issue affects the plugin's file upload functionality, specifically when handling SVG files (WPScan, NVD).

The vulnerability stems from improper sanitization of SVG file contents when uploaded through the xmlrpc.php endpoint using base64 encode. The issue has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L. The vulnerability is classified under CWE-79 (Cross-Site Scripting) and is listed as part of the OWASP Top 10 under A7: Cross-Site Scripting (XSS) (WPScan, NVD).

The vulnerability allows attackers with author-level privileges or higher to store malicious SVG content that can execute cross-site scripting attacks when viewed by other users. This could potentially lead to unauthorized access to sensitive information, session hijacking, or other malicious actions performed in the context of the affected users (WPScan).

The vulnerability has been fixed in version 2.5.0 of the Ultimate Addons for Elementor plugin. Users are strongly advised to update to this version or later to mitigate the risk (WPScan).