The Jeg Elementor Kit plugin for WordPress suffers from a stored Cross‑Site Scripting flaw in the countdown widget’s redirect functionality. Because user input is not properly sanitized, an authenticated user with Contributor or higher privilege can inject malicious JavaScript that is saved and later executed automatically when the page containing the countdown element is viewed by any user, including administrators. This flaw is a classic example of a code injection weakness (CWE‑79), enabling attackers to run arbitrary scripts in the victim’s browser, potentially stealing cookies, session tokens, or modifying page content.

All installations that run Jeg Elementor Kit for Elementor – Powerful Addons for Elementor on WordPress with version 3.0.1 or earlier are vulnerable. The flaw exists in every version of the plugin up to and including 3.0.1; any WordPress site that has this plugin installed and a user who can inject content via the countdown widget is at risk.

The CVSS score of 6.4 indicates a medium severity, primarily due to the requirement for authenticated access to inject and the local execution context. The EPSS score of <1 percentage point suggests that, as of now, the likelihood of widespread exploitation is very low. However, because the vulnerability allows arbitrary JavaScript execution, a determined attacker who can compromise a Contributor‑level account, or force a user with higher privileges to view a maliciously crafted page, could achieve significant damage. The flaw is not listed in CISA’s KEV catalog, so no public exploits are documented yet.