The vulnerability is an improper neutralization of input during web page generation that allows an attacker to store malicious scripts in the RSTheme RS Elements Elementor Addon. By injecting arbitrary JavaScript into a field that is later rendered on the site, an attacker could execute code in the browsers of visitors to the site. This could lead to theft of credentials, session hijacking, defacement, or further exploitation of the victim’s browser session. The weakness is classified as CWE‑79.

RSTheme RS Elements Elementor Addon (rselements-lite) is affected in all versions from the first release up to and including 1.1.5. No lower bound is specified, so any installation with version 1.1.5 or earlier is vulnerable. The problem is specific to the WordPress plugin.

The CVSS score is 6.5, indicating moderate risk. The EPSS score of <1% suggests a low probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Attackers would need to insert a malicious payload into a field that is stored by the plugin and later displayed, typically using an administrative or front‑end form. If successful, the injected script runs in the context of the site’s users. Since the vulnerability is stored, it can affect every page that renders the stored content, making it especially dangerous for sites with high traffic. Mitigation requires updating the plugin or removing the vulnerability entirely.