The vulnerability allows an attacker who can authenticate to the WordPress site with contributor level access or higher to store malicious scripts in the marker content field of the Open Street Map widget. When a user views a page that includes that widget, the injected script executes in the victim's browser. This is a classic stored cross‑site scripting flaw—CWE‑79—providing an attacker with client‑side code execution that can lead to defacement, cookie theft, or further phishing attacks, but not to unrestricted server‑side code execution. The impact is therefore limited to client‑side compromise rather than full system takeover.

The affected product is bdthemes:Element Pack – Widgets, Templates & Addons for Elementor, a popular WordPress plugin that extends Elementor. All versions of Element Pack up to and including 8.3.4 contain the flaw; the plugin is widely used on sites that run WordPress and Elementor. No specific operating system or PHP version is mentioned, but any WordPress installation using a vulnerable version of this plugin is at risk.

The CVSS score of 5.4 classifies the flaw as a moderate severity issue, but the very low EPSS score of <1% indicates that, at the time of analysis, the probability of exploitation is low. The vulnerability is not listed in the CISA KEV catalog. Because the flaw requires authenticated access, an attacker would need to compromise a contributor‑level account or gain it through phishing or credential reuse. Once authenticated, they can inject the payload and any person who later opens a page containing the malicious widget will be affected. The attack vector is therefore constrained to sites with the vulnerable plugin and to users who view the injected pages.