CVE-2025-9978: 
WordPress vulnerability analysis and mitigation

CVE-2025-9978 is a cross-site scripting (XSS) vulnerability discovered in the Jeg Kit for Elementor WordPress plugin versions before 2.7.0. The vulnerability was disclosed on October 24, 2025, and was identified by WPScan. The issue affects WordPress installations using the vulnerable versions of the Jeg Kit for Elementor plugin (WPScan, NVD).

The vulnerability stems from improper sanitization of SVG file contents when uploaded through xmlrpc.php. The issue has been assigned a CVSS v3.1 score of 6.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H. This indicates that while the vulnerability requires high privileges and user interaction, it can potentially lead to high impacts on confidentiality, integrity, and availability (WPScan).

When successfully exploited, the vulnerability allows attackers with author-level privileges to upload malicious SVG files containing JavaScript code, which can lead to stored cross-site scripting attacks. This could potentially allow attackers to perform actions with the privileges of other users who view the malicious SVG file (WPScan).

The vulnerability has been patched in version 2.7.0 of the Jeg Kit for Elementor plugin. Users are advised to update to this version or later to mitigate the risk. If immediate updating is not possible, administrators should consider restricting access to xmlrpc.php or limiting user privileges for SVG uploads (WPScan).