Improper neutralization of input during web page generation allows attackers to inject malicious scripts that are persisted and rendered when other users view affected content. The vulnerability is a stored XSS flaw (CWE‑79) that could result in the execution of arbitrary JavaScript in the victim’s browser, leading to theft of session tokens, defacement, or further phishing attacks. The malicious code is executed in the context of the victim’s account and is not limited by privilege, making it a significant threat to confidentiality, integrity, and availability of user interactions within the site. No additional exploitation prerequisites are listed beyond the presence of the vulnerable plugin and its content addition features.

The issue affects the WordPress plugin Directorist AddonsKit for Elementor from wPWax, versions up to and including 1.1.6. No specific patch version is detailed beyond the maximum affected version.

The CVSS score is 6.5, indicating a moderate severity. The EPSS score is less than 1 %, showing a very low exploitation probability at the time of analysis; the vulnerability is also not in the CISA KEV catalog. Attack vectors are inferred to be web‑based: any user who can submit content through the plugin can embed malicious payloads that are stored and later served to other visitors. The lack of network‑level exploitation constraints suggests that the flaw is exploitable through standard web interactions.