An improper neutralization of input during web page generation flaw in the WordPress aThemes Addons for Elementor plugin allows stored cross‑site scripting content to be executed when users view pages that include data supplied through the plugin. The attack vector is inferred to be the plugin’s data input interfaces, as the vulnerability is described as stored XSS: user supplied data is not sanitized before being saved to the database and later rendered in page markup, enabling the injection of arbitrary JavaScript. The impact is that any visitor or user whose browser renders a page containing the malicious content could have its session hijacked, sensitive data exfiltrated, or be exposed to phishing or malware.

The vulnerability affects the WordPress plugin Syed Balkhi aThemes Addons for Elementor. All released versions up to and including 1.0.8 are impacted; newer releases are not listed as vulnerable.

The CVSS score of 6.5 indicates a medium severity. The EPSS score of less than 1% suggests a very low probability of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. The stored nature of the flaw means that once malicious content is inserted, it will persist and affect any site visitor, making it a significant risk if the plugin is enabled on a website.