The Xpro Addons plugin for WordPress contains a Stored Cross‑Site Scripting flaw in the Image Scroller widget when an authenticated user with contributor or higher privileges assigns a link to the widget box. Because the plugin does not sanitize and escape this user‑supplied attribute, an attacker can insert arbitrary JavaScript that executes in the browsers of any user who views a page containing the injected widget. This leads to theft of session cookies, defacement, or redirection to malicious sites, thereby compromising user confidentiality and potentially allowing further attacks such as phishing or malware delivery.

The flaw affects all releases of Xpro Addons—140+ Widgets for Elementor up to and including version 1.4.24. The affected product is a WordPress plugin used to provide additional widgets for the Elementor page builder. Any website installing this plugin and granting contributor access to users is vulnerable until the plugin is updated beyond version 1.4.24.

The CVSS score of 6.4 indicates moderate severity, and the EPSS score of less than 1% suggests the likelihood of widespread exploitation is currently very low. The vulnerability is not listed in CISA’s KEV catalog. Attackers must first authenticate as a contributor or higher role to inject malicious code, which limits the initial exposure to internal users. Once injected, however, the script runs automatically for any viewer of the affected page, creating a persistent threat as long as the widget remains on the site.