The SKT Addons for Elementor plugin contains an improper neutralization of input during web page generation, which results in a stored Cross‑Site Scripting (XSS) flaw. An attacker who can submit malicious input to the plugin can have that input saved by the WordPress site and later rendered as part of a page, causing browsers of other visitors to execute arbitrary JavaScript. The weakness is caused by a failure to escape or sanitize user‑supplied data before rendering it in the page output.

The vulnerability affects the SKT Addons for Elementor plugin provided by sonalsinha21 for all releases with a version number less than or equal to 3.5. No earlier release information is available in the CVE record, so the impact applies to all versions within that range.

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1 % suggests that widespread exploitation is unlikely as of this analysis. The issue is not listed in the CISA KEV catalog. Exploitation would require an attacker to be able to supply or modify content, custom fields, or plugin configuration that is subsequently stored and displayed to other site visitors, typically through administrative access to the WordPress backend or through plugin interfaces that accept user input.