CVE-2025-14275
Unknown Unknown - Not Provided
Stored XSS in Jeg Elementor Kit Countdown Widget Allows Admin Hijack

Publication date: 2026-01-08

Last updated on: 2026-01-08

Assigner: Wordfence

Description
The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.0.1 due to insufficient input sanitization in the countdown widget's redirect functionality. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary JavaScript that will execute when an administrator or other user views the page containing the malicious countdown element.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-08
Last Modified
2026-01-08
Generated
2026-06-16
AI Q&A
2026-01-08
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14275
EUVD
EUVD-2026-1595
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jeg_elementor_kit jeg_elementor_kit to 3.0.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in the Jeg Elementor Kit WordPress plugin (up to version 3.0.1) is a Stored Cross-Site Scripting (XSS) issue in the countdown widget's redirect functionality. Authenticated users with Contributor-level access or higher can inject arbitrary JavaScript code via insufficient input sanitization. This malicious script executes when an administrator or other user views the page containing the compromised countdown element.

Impact Analysis

This vulnerability allows attackers with Contributor-level access or above to inject malicious JavaScript that executes in the context of users viewing the affected page, such as administrators. This can lead to session hijacking, unauthorized actions, data theft, or further compromise of the WordPress site by executing arbitrary scripts.

Detection Guidance

This vulnerability can be detected by identifying instances of the Jeg Elementor Kit plugin version 3.0.1 or earlier installed on your WordPress site and checking for the presence of the countdown widget with potentially malicious redirect parameters. Since the vulnerability involves stored Cross-Site Scripting via the countdown widget's redirect functionality, you can look for suspicious JavaScript or unusual redirect URLs in the countdown elements on your site. Specific commands to detect this might include scanning your WordPress plugin directory for the plugin version, for example using: `wp plugin list | grep jeg-elementor-kit` to check the installed version. Additionally, you can search your WordPress database or page content for countdown widgets containing redirect parameters or suspicious scripts. However, no explicit detection commands are provided in the resources. [3]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the Jeg Elementor Kit plugin to a version later than 3.0.1 where the vulnerability is fixed. Since the vulnerability arises from insufficient input sanitization in the countdown widget's redirect functionality, updating the plugin will apply the necessary security patches. Additionally, restrict Contributor-level and above users from adding countdown widgets with redirect functionality until the update is applied. Monitoring and sanitizing user inputs related to countdown widgets can also help mitigate risk. [2]

Compliance Impact

The provided resources and context do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14275. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart