Attack Vectors

CVE-2025-63042 is a Medium-severity Stored Cross-Site Scripting (XSS) vulnerability affecting Tutor LMS Elementor Addons for WordPress (plugin slug: tutor-lms-elementor-addons) in versions up to and including 3.0.1.

The key exposure is that an attacker must already be authenticated with at least Contributor privileges (or higher). In organizations where multiple staff, agencies, instructors, or contractors have content access, this can be a realistic threat model. Once malicious script is stored, it can execute when any user loads the affected page—potentially including administrators and site owners.

Severity context: CVSS 6.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N). Public details: https://www.cve.org/CVERecord?id=CVE-2025-63042. Additional reference: Wordfence vulnerability record.

Security Weakness

The vulnerability is caused by insufficient input sanitization and output escaping. In practical terms, the plugin can allow certain user-supplied content to be saved in WordPress and later rendered in the browser without properly neutralizing executable code.

Because this is a stored XSS issue, the malicious payload can persist on the site until it is removed, and it can affect multiple visitors over time—especially if embedded in a high-traffic page or a page frequently accessed by admins.

Remediation: Update Tutor LMS Elementor Addons to version 3.0.2 or newer (patched). If you cannot update immediately, restrict Contributor-level access, review recently published/edited content, and consider temporarily reducing permissions for non-essential accounts.

Technical or Business Impacts

Account and session risk: Stored XSS can be used to run script in a victim’s browser. This may enable theft of session tokens (where possible), forced actions performed as the logged-in user, or unauthorized changes to site content—particularly damaging if an administrator views the infected page.

Brand and revenue impact: Marketing sites and LMS properties rely on trust. XSS can be used to inject phishing prompts, redirect visitors, alter page messaging, or tamper with forms—undermining conversion performance and brand credibility. For regulated organizations, this can also create reporting and audit pressure if customer data or authenticated sessions are exposed.

Operational impact: Incident response typically includes emergency patching, content review, log review, and potentially password resets for privileged users. These activities create avoidable downtime and distraction for marketing, IT, and compliance teams.

Similar Attacks

Stored/DOM-based XSS has repeatedly impacted major web platforms and components, reinforcing that script injection remains a common route to account compromise and site tampering:

CVE-2019-8942 (WordPress)
CVE-2020-11022 (jQuery)
CVE-2022-21661 (WordPress)