← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2025-22312 · CWE-79 · Disclosed 2025-01-07

Improper Neutralization of Input During Web Page Generation

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a bad note slipped into the site editor, not a skeleton key to your estate

CVE-2025-22312 is an XSS flaw in the ThimPress thim-elementor-kit WordPress plugin. Authoritative records disagree on the exact wording—Patchstack/NVD describe DOM-based XSS, while Wordfence and WPScan describe it as *authenticated Contributor+ stored XSS*—but the operationally important part is consistent: an attacker needs at least low-privilege WordPress access and a vulnerable plugin version. Current public records show the affected range was later broadened from <= 1.2.8 to <= 1.2.9, with 1.2.9.1 called out as fixed.

The vendor's *MEDIUM 6.5* score is fair in a lab, but high for enterprise prioritization. Requiring authenticated Contributor+ access is the decisive friction: that means the attacker is already inside the WordPress trust boundary or has already compromised a low-privilege account. From there, impact is usually limited to browser-side code execution in the context of that site, with follow-on abuse depending on an admin or privileged user viewing poisoned content.

"Real issue, but it starts at Contributor and ends inside one WordPress site—not an enterprise fire drill."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Get a Contributor foothold

The attacker first needs a valid WordPress account with Contributor privileges or higher. In practice this comes from credential stuffing, phishing, account reuse, a separate auth bug, or intentionally open self-registration on content-heavy sites. No public evidence shows this CVE bypasses authentication by itself.
Conditions required:
  • Target runs WordPress with thim-elementor-kit installed
  • Attacker has valid Contributor+ credentials
  • Attacker can reach the site's editor/admin workflow
Where this breaks in practice:
  • Many enterprise WordPress sites disable public registration
  • SSO/MFA on wp-admin blocks a lot of commodity abuse
  • Contributor accounts are a much smaller exposed population than unauthenticated internet users
Detection/coverage: External vuln scanners can usually flag the plugin version, but not whether low-privilege accounts exist or are exposed.
STEP 02

Plant the XSS payload

Using the vulnerable Thim Elementor Kit functionality, the attacker injects JavaScript into content or plugin-controlled page data. Wordfence/WPScan characterize this as stored XSS; Patchstack/NVD label it DOM-based, but either way the attacker is placing browser-executed input into a site workflow.
Conditions required:
  • Vulnerable plugin version <= 1.2.9
  • Attacker can save or influence the relevant page/widget content
Where this breaks in practice:
  • Exact exploit path appears widget/workflow-specific rather than site-wide
  • Editors or admins may notice malformed content before it is published
  • Some WAFs or CSP deployments will break generic payloads
Detection/coverage: Version-based checks work well. Payload-level detection is weaker unless you inspect page revisions, audit logs, or WAF events.
STEP 03

Wait for a privileged viewer

The malicious script only matters when another user loads the poisoned page or admin interface. That second-user dependency is the other major brake on severity: the attacker must line up both stored payload placement and a victim with enough privileges to make the session worthwhile.
Conditions required:
  • A victim user visits the affected page/view
  • Victim browser executes inline or referenced script
Where this breaks in practice:
  • If only anonymous visitors see the payload, enterprise impact is low
  • Admin-only impact often depends on an administrator reviewing content
  • Content Security Policy, browser protections, or sanitization by surrounding components may blunt payloads
Detection/coverage: Server logs show the page hit, not script execution. Browser-side telemetry or CSP violation reporting is more useful than host logging here.
STEP 04

Abuse the session in site scope

Once executed, the payload can steal nonces, perform actions as the victim in the WordPress session, or stage further admin-side abuse inside that tenant. This can become serious for the *site owner*, but it is still a one-site web-app problem, not a direct server RCE or lateral-movement primitive across your fleet.
Conditions required:
  • Victim has meaningful WordPress privileges
  • The payload can reach WordPress admin endpoints or session material
Where this breaks in practice:
  • Impact is bounded to the WordPress site and victim session context
  • No direct evidence of code execution on the underlying host from this CVE alone
  • Nonce scope, session expiry, and role separation reduce reliability
Detection/coverage: Look for unusual admin actions after content edits, suspicious post/widget revisions, and login/session anomalies around contributor accounts.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo reliable public evidence of active exploitation found. CISA ADP metadata for the CVE record marks exploitation as none.
KEV statusNot KEV-listed. The CVE appears in CISA's weekly bulletin for January 6, 2025, but not in the Known Exploited Vulnerabilities catalog.
Proof-of-concept availabilityNo well-known public PoC or Metasploit module surfaced in current public indexing. WPScan also marks the issue as Verified: No.
EPSS0.00152 from the supplied intel, which is very low and consistent with the narrow prerequisite chain.
CVSS vs realityVendor/CNA score is 6.5 MEDIUM with AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. In real deployments, PR:L is the big downgrade lever because it implies prior access to the WordPress tenant.
Affected versionsInitial CNA/NVD text said through 1.2.8, but later public CVE mirrors and Wordfence/WPScan tracking broadened this to <= 1.2.9.
Fixed versionMultiple security trackers converge on 1.2.9.1 as the patched release, even though the public WordPress changelog mainly shows 1.2.9 as a security fix step.
Exposure footprintThe plugin currently shows 20,000+ active installations on WordPress.org. That's enough to matter, but there is no clean internet-wide fingerprint from Shodan/Censys for enumerating this specific plugin at scale.
Disclosure timelinePublic disclosure was 2025-01-07 in the CNA/NVD record; Wordfence lists it as publicly published 2025-01-06.
Researcher / sourceReported by Michael via the Patchstack Bug Bounty Program / Patchstack Alliance.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to LOW (3.8/10)

This lands in LOW because the attacker must already hold authenticated Contributor+ access, which makes it a post-initial-access web-app abuse case rather than an internet-scale entry point. The blast radius is usually one WordPress tenant and one victim browser session, not host takeover across your estate.

HIGH Authentication requirement materially lowers enterprise urgency
MEDIUM Exact bug mechanics and affected range due to source disagreement (`DOM` vs `stored`, `<=1.2.8` vs `<=1.2.9`)
HIGH No current evidence of KEV status or active exploitation

Why this verdict

  • Requires prior foothold: Contributor+ means the attacker is already inside the WordPress trust boundary, so this is not an initial-access flaw.
  • Victim dependency lowers weaponization: even after payload placement, the attacker still needs a user to load the poisoned content; that extra step removes a lot of real-world reliability.
  • Blast radius is narrow: impact is serious for the affected site, but the CVE does not by itself provide unauthenticated compromise, server-side code execution, or broad lateral movement.

Why not higher?

There is no evidence of active exploitation, no KEV listing, and no indication this CVE yields direct RCE on the underlying host. The two strongest brakes are the authenticated-role requirement and the need for a second-user browser execution event.

Why not lower?

This is still a real XSS bug on a publicly distributed plugin with 20,000+ active installs, so it is not noise. If an attacker already has a contributor account on a business-critical site, admin-session abuse and tenant-level compromise are plausible follow-on outcomes.

05 · Compensating Control

What to do — in priority order.

  1. Lock down Contributor access — Audit who actually has Contributor or equivalent content-authoring roles, disable unused accounts, and remove public self-registration where it is not business-critical. For a LOW verdict there is no mitigation SLA; treat this as backlog hygiene and complete it during normal access-governance cleanup.
  2. Put wp-admin behind stronger auth — Enforce SSO and MFA for WordPress administrative access so attackers cannot easily satisfy the PR:L prerequisite with sprayed or reused credentials. For a LOW verdict there is no mitigation SLA; roll this into standard hardening if not already in place.
  3. Review and restrict content workflows — Limit which roles can publish or edit pages using Thim Elementor Kit widgets, and require editorial review for externally sourced content. For a LOW verdict there is no mitigation SLA; handle during routine WordPress governance work.
  4. Use WAF and CSP as speed bumps — A tuned WAF can catch commodity XSS payloads and a reasonable CSP can reduce payload reliability, especially inline script abuse. For a LOW verdict there is no mitigation SLA; deploy as defense-in-depth, not as an emergency change.
What doesn't work
  • Network segmentation alone does not solve this if the site is public; the attack rides legitimate HTTP and authenticated editor workflows.
  • Endpoint AV on the WordPress host does not reliably detect browser-side XSS execution because the malicious code runs in the victim's session, not as a host binary.
  • Assuming Contributor is harmless does not help; this CVE specifically turns low-privilege content access into script execution in other users' browsers.
06 · Verification

Crowdsourced verification payload.

Run this on the target WordPress host or container with read access to the WordPress docroot. Invoke it as bash check_thim_elem_cve_2025_22312.sh /var/www/html; no root is required if the plugin files are readable.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# check_thim_elem_cve_2025_22312.sh
# Detects whether Thim Elementor Kit is vulnerable to CVE-2025-22312.
# Usage: bash check_thim_elem_cve_2025_22312.sh /path/to/wordpress
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN

set -u

TARGET_ROOT="${1:-}"
PLUGIN_DIR=""
VERSION=""
PATCHED_VERSION="1.2.9.1"

if [ -z "$TARGET_ROOT" ]; then
  echo "UNKNOWN - missing WordPress path argument"
  exit 2
fi

PLUGIN_DIR="$TARGET_ROOT/wp-content/plugins/thim-elementor-kit"

if [ ! -d "$PLUGIN_DIR" ]; then
  echo "UNKNOWN - plugin directory not found: $PLUGIN_DIR"
  exit 2
fi

extract_version() {
  local file="$1"
  if [ -f "$file" ]; then
    awk -F': *' 'BEGIN{IGNORECASE=1} /^Version:/ {print $2; exit}' "$file" 2>/dev/null | tr -d '\r'
  fi
}

VERSION="$(extract_version "$PLUGIN_DIR/thim-elementor-kit.php")"
if [ -z "$VERSION" ]; then
  VERSION="$(extract_version "$PLUGIN_DIR/readme.txt")"
fi

if [ -z "$VERSION" ]; then
  VERSION="$(grep -Rim1 '^Version:' "$PLUGIN_DIR" 2>/dev/null | sed 's/^[Vv]ersion:[[:space:]]*//')"
fi

if [ -z "$VERSION" ]; then
  echo "UNKNOWN - could not determine installed plugin version"
  exit 2
fi

verlte() {
  # returns 0 if $1 <= $2
  [ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | head -n1)" = "$1" ]
}

if verlte "$VERSION" "1.2.9"; then
  echo "VULNERABLE - detected thim-elementor-kit version $VERSION (fixed in $PATCHED_VERSION)"
  exit 1
fi

if verlte "$PATCHED_VERSION" "$VERSION"; then
  echo "PATCHED - detected thim-elementor-kit version $VERSION"
  exit 0
fi

echo "UNKNOWN - detected version $VERSION but unable to classify confidently"
exit 2
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, have the team pull an inventory of public WordPress instances running thim-elementor-kit, confirm whether any still allow broad Contributor access, and upgrade them to 1.2.9.1+ during the next normal plugin maintenance window. For a LOW finding there is no noisgate mitigation SLA and no noisgate remediation SLA—treat it as backlog hygiene, document the access-control guardrails, and avoid burning emergency change budget unless this plugin sits on a business-critical site with lots of non-admin content authors.

Sources

  1. NVD CVE-2025-22312
  2. Wordfence Intelligence: Thim Elementor Kit <= 1.2.9 - Authenticated (Contributor+) Stored XSS
  3. WPScan: Thim Elementor Kit < 1.2.9.1 - Contributor+ Stored XSS
  4. WordPress.org plugin page and changelog
  5. OpenCVE record showing later affected-range update
  6. CISA Weekly Vulnerability Bulletin SB25-013
  7. CISA Known Exploited Vulnerabilities Catalog
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.