PT-2025-40853 · WordPress · Ultimate Addons For Elementor+1
Tony
·
Published
2025-10-06
·
Updated
2025-10-06
·
CVE-2025-9703
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
The Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder) versions prior to 2.5.0
Description
The software does not properly sanitize SVG file contents when uploaded. This occurs when using the
xmlrpc.php endpoint with base64 encoding, which can lead to a Cross-Site Scripting issue. The vulnerable endpoint is /xmlrpc.php. The vulnerable operation involves uploading SVG files using base64 encoded data.Recommendations
Update The Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder) to version 2.5.0 or later.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Elementor Header & Footer Builder
Ultimate Addons For Elementor