The vulnerability is an improper neutralization of input during web page generation that permits a stored cross‑site scripting flaw. An attacker can inject malicious JavaScript via any data field that is stored by the Easy Elementor Addons plugin and later rendered in a page. Once executed, the script runs with the privileges of the visiting user, potentially hijacking sessions, defacing the site, or exfiltrating data. This weakness is categorized as CWE‑79 and undermines the confidentiality, integrity, and availability of the affected website.

Vulnerable versions of the Easy Elementor Addons plugin, version 2.1.6 and all earlier releases, are affected. Any WordPress installation that has been running those releases regardless of WordPress core version or theme is at risk. Only installations after the release of version 2.1.7 are believed to be fixed.

The CVSS base score of 6.5 indicates a moderate severity vulnerability, while the EPSS score of less than 1 % suggests a low exploitation probability as of the last update. The vulnerability is not listed in the CISA KEV catalog. Exploitation would generally occur through the plugin’s administrative interface where user data can be input and stored; an attacker with attacker access to a page that includes that data can cast the injected script to all visitors. The lack of a public exploit in the KEV catalog means organizations should still monitor for any new attack traffic but can treat this as a standard priority patching issue for sites running the vulnerable plugin.