WordPress: Stored Cross-Site Scripting in Text Path Widget of Elementor Website Builder Plugin

In Elementor Website Builder – More Than Just a Page Builder plugin for WordPress versions up to and including 3.30.2 a medium severity vulnerability CVE-2025-4566 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via the `data-text` DOM element attribute in the Text Path widget due to insufficient input sanitization and output escaping. To address this issue, users should upgrade Elementor Website Builder – More Than Just a Page Builder plugin to versions 3.30.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4566.