Summary
I have recently reported an Authenticated (Contributor+) Stored Cross-Site Scripting (XSS) vulnerability in the WordPress UiCore Elements plugin in versions up to and including 1.3.3.
The vulnerability exists in the Accordion widget due to improper handling of HTML tag attributes, allowing malicious scripts to be injected and executed in a user’s browser session. This affects 40,000+ users.
This has been fixed in the recent versions. It was assigned CVE-2025-58196 and published in the Patchstack Vulnerability database.
About The Plugin
UiCore Elements is a versatile plugin designed to extend the capabilities of Elementor Page Builder. Elevate your website’s design with an array of widgets, each crafted to bring innovation and interactivity to your pages.
| Plugin Name | UiCore Elements – Free Elementor widgets and templates |
| Plugin Slug | uicore-elements |
| WP.org Profile | https://wordpress.org/plugins/uicore-elements/ |
| Active Installations | 40,000+ |
| Vulnerable Version | 1.3.3 (Download Here) |
| Patched Version | 1.3.4 (Download Here) |
| CVSS & Severity | Low (6.5) |
🔧 Attack Scenario
Step 01:
Log in as an administrator. Install and activate the plugin. Also install and activate the Elementor FREE plugin. Make sure that the Accordion widget is enabled.
Step 02:
Log in as a contributor user. Create a post and edit it using Elementor. Drag and drop the Accordion widget.
Step 03:
For the Title HTML Tag, enter the following payload:
h4 onmouseover=alert(1) 
Click Submit For Review.
Step 04:
Login as an administrator and preview the post. The payload will execute when you hover over the element.
❗Vulnerable Code
Vulnerable Code: wp-content/plugins/uicore-elements/includes/widgets/accordion.php
Line: 1340, 1426
$titleTag = $settings['title_html_tag'] . ' '; // HTML tag
.....
<<?php echo esc_html($titleTag) ?> <?php $this->print_render_attribute_string($tab_title_setting_key); ?>>
endif;In this code, the value of $settings['title_html_tag'] is directly controlled by the user. Since it is not properly validated or sanitized, an attacker can manipulate this input to inject malicious payloads. When rendered, the injected payload is interpreted by the browser, leading to Cross-Site Scripting (XSS).
Patch
In order to fix the vulnerability, the developers have added a new helper method named esc_tag in the file: includes/class-helper.php
This method validates the user provided values against a whitelist of tag names.
Reference: Link to the changeset
Then this method has been used to validate the title tags used by various components throughout the plugin.
Reference: Link to the changeset
Full Changeset: Link
Timeline
| Report Submitted To Patchstack | 28 July, 2025 |
| Vendor Contacted | 21 August, 2025 |
| Patch Submitted | 22 August, 2025 |
| Published | 27 August, 2025 |
Conclusion
An Authenticated (Contributor+) Stored Cross-Site Scripting (XSS) vulnerability was discovered in the UiCore Elements plugin for WordPress (versions ≤ 1.3.3). The issue was rooted in the Accordion widget, where improper handling of HTML tag attributes allowed contributors to inject malicious JavaScript, which would then execute in the victim’s browser session. This vulnerability, tracked as CVE-2025-58196, has been patched in recent releases and is documented in the Patchstack Vulnerability Database.
Leave a Reply