The vulnerability is a stored cross‑site scripting flaw that allows attackers to inject malicious scripts into the web page output. By embedding crafted JavaScript in the plugin’s content fields, an attacker can cause arbitrary code to run in the browsers of any visitor who views the affected content. The impact can range from cookie theft and session hijacking to defacement or remote code execution within the user’s session, depending on the attacker’s payload.

Element Invader’s ElementInvader Addons for Elementor plugin for WordPress is affected. Versions from the earliest release through 1.3.3 contain the flaw. Users running any of these versions should review which plugin versions are installed.

The CVSS score of 6.5 indicates a moderate severity. The EPSS score is reported as less than 1%, meaning that although the vulnerability exists, the likelihood of real‑world exploitation is currently very low. The plugin is not listed in the CISA KEV catalog, so it is not known to be actively exploited in the wild. The description identifies the flaw as a stored XSS vulnerability; based on this, it is inferred that an attacker would need to inject malicious payloads that are stored and later rendered to visitors, likely via the plugin’s administrative interface or a similarly privileged input point, although the exact attack vector is not explicitly stated. Once stored, the malicious script executes whenever a user loads the affected page, making the attack both persistent and broadly visible.