This flaw is a DOM‑based Cross‑Site Scripting vulnerability caused by the Black Widgets For Elementor plugin failing to properly neutralize user input during web page rendering. When an attacker injects malicious script into widget content or parameters, the script executes in the browser of any user who views the affected page. This can lead to session hijacking, credential theft, or the execution of arbitrary code within the victim’s session. The flaw is classified as a moderate severity issue (CVSS 6.5), which indicates a non‑critical yet potentially damaging attack if exploited.

The vulnerability affects the Black Widgets For Elementor plugin developed by Modernaweb Studio. All releases from no‑specified baseline version up through 1.3.8 are vulnerable. Users running any of these versions on a WordPress installation should assume the risk applies.

The risk is moderate with a CVSS score of 6.5 and an EXploit Propensity Scoring System (EPSS) score of less than 1 %. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. The likely attack vector is web‑based: an attacker who can embed malicious content into a widget or a page that the end‑user subsequently views enables the DOM‑based XSS. Successful exploitation requires user interaction but is otherwise straightforward for an attacker with web access rights to manipulate widget content.