CVE-2025-58196: XSS in WordPress UiCore Elements Plugin

CVE-2025-58196: XSS in WordPress UiCore Elements Plugin

Updated 3 min read

Table of Contents

Summary

I have recently reported an Authenticated (Contributor+) Stored Cross-Site Scripting (XSS) vulnerability in the WordPress UiCore Elements plugin in versions up to and including 1.3.3.

The vulnerability exists in the Accordion widget due to improper handling of HTML tag attributes, allowing malicious scripts to be injected and executed in a user’s browser session. This affects 40,000+ users.

This has been fixed in the recent versions. It was assigned CVE-2025-58196 and published in the Patchstack Vulnerability database.

About The Plugin

UiCore Elements is a versatile plugin designed to extend the capabilities of Elementor Page Builder. Elevate your website’s design with an array of widgets, each crafted to bring innovation and interactivity to your pages.

Plugin NameUiCore Elements – Free Elementor widgets and templates
Plugin Sluguicore-elements
WP.org Profilehttps://wordpress.org/plugins/uicore-elements/
Active Installations40,000+
Vulnerable Version1.3.3 (Download Here)
Patched Version1.3.4 (Download Here)
CVSS & SeverityLow (6.5)

Wordpress uicore elements plugin banner

🔧 Attack Scenario

Step 01:

Log in as an administrator. Install and activate the plugin. Also install and activate the Elementor FREE plugin. Make sure that the Accordion widget is enabled.

01 install uicore elements and elementor plugin

Step 02:

Log in as a contributor user. Create a post and edit it using Elementor. Drag and drop the Accordion widget.

02 as a contributor use the accordion widget

Step 03:

For the Title HTML Tag, enter the following payload:

h4 onmouseover=alert(1)

03 enter the payload in title html tag

Click Submit For Review.

Step 04:

Login as an administrator and preview the post. The payload will execute when you hover over the element.

04 hover the element to trigger xss

❗Vulnerable Code

Vulnerable Code: wp-content/plugins/uicore-elements/includes/widgets/accordion.php
Line: 1340, 1426

$titleTag = $settings['title_html_tag'] . ' '; // HTML tag

.....

<<?php echo esc_html($titleTag) ?> <?php $this->print_render_attribute_string($tab_title_setting_key); ?>>
endif;

In this code, the value of $settings['title_html_tag'] is directly controlled by the user. Since it is not properly validated or sanitized, an attacker can manipulate this input to inject malicious payloads. When rendered, the injected payload is interpreted by the browser, leading to Cross-Site Scripting (XSS).

Patch

In order to fix the vulnerability (CVE-2025-58196), the developers have added a new helper method named esc_tag in the file: includes/class-helper.php

This method validates the user provided values against a whitelist of tag names.

Reference: Link to the changeset

Cve 2025 58196 uicore elements patch 01

Then this method has been used to validate the title tags used by various components throughout the plugin.

Reference: Link to the changeset

Cve 2025 58196 uicore elements plugin patch 02

Full Changeset: Link

Timeline

Report Submitted To Patchstack28 July, 2025
Vendor Contacted21 August, 2025
Patch Submitted22 August, 2025
Published27 August, 2025

Conclusion

An Authenticated (Contributor+) Stored Cross-Site Scripting (XSS) vulnerability was discovered in the UiCore Elements plugin for WordPress (versions ≤ 1.3.3). The issue was rooted in the Accordion widget, where improper handling of HTML tag attributes allowed contributors to inject malicious JavaScript, which would then execute in the victim’s browser session. This vulnerability, tracked as CVE-2025-58196, has been patched in recent releases and is documented in the Patchstack Vulnerability Database.

If you found this post helpful, consider buying me a coffee. It keeps me writing!

Buy Me A Coffee