Impact
The Exclusive Addons for Elementor plugin is affected by a stored cross‑site scripting flaw that occurs when users inject malicious JavaScript into the Animated Text or Image Comparison widgets. The input sanitization and output escaping are insufficient, so the injected script is persisted in the database and executed whenever a visitor loads the affected page. This flaw enables attackers to deface content, steal session cookies from regular users, or load foreign resources.
Affected Systems
The vulnerability exists in the Exclusive Addons for Elementor plugin from the timstrifler vendor for all releases up to and including version 2.7.6. No other versions are listed as affected.
Risk and Exploitability
The CVSS score of 6.4 indicates a moderate impact, but the EPSS score of less than 1% signals that very few attacks are expected in the near term and the vulnerability is not currently listed in the CISA KEV catalog. Exploitation requires an authenticated user with contributor or higher privileges to add or edit widget settings; after injection, any visitor to the affected page will execute the injected code. The lack of mitigation in the plugin’s code and the stored nature of the payload mean that attackers with legitimate access can persist malicious scripts that affect all site visitors.
OpenCVE Enrichment
EUVD