Improper neutralization of input during web page generation allows attackers to inject malicious scripts that are stored by the Vertex Addons for Elementor plugin. When a victim views a page that contains the injected content, the attacker‑controlled script executes in the victim’s browser, potentially enabling session hijacking, cookie theft, or the delivery of further malware. The vulnerability is a classic stored XSS flaw (CWE‑79) that can compromise the confidentiality, integrity, or availability of the web application for any user who can view the affected content.

The flaw exists in Webilia Inc.’s Vertex Addons for Elementor plugin for WordPress, affecting all releases from the earliest available version up through 1.2.0 inclusive. No later versions (1.2.1 and above) are known to be affected.

The CVSS score of 6.5 indicates a moderate severity. The EPSS score of less than 1 % suggests a low probability of widespread exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Exploitability typically requires the attacker to be able to inject content into Elementor templates or widgets, which means administrative or content‑author privileges are necessary. Once stored, the script activates on remote users’ browsers whenever the content is rendered, making the attack vector a web‑based, remote execution scenario. Although the chance of exploitation is low, the potential impact on impacted sites warrants prompt mitigation.