The Sky Addons for Elementor plugin suffers from improper neutralization of input, allowing attackers to store malicious scripts that are later rendered as part of a web page. This vulnerability can lead to the execution of arbitrary code in the context of an affected user’s browser, exposing the user to credential theft, defacement, or session hijacking. The weakness is classified as CWE‑79, indicating an input‑validation issue that results in XSS.

WordPress sites that have the wowDevs Sky Addons for Elementor plugin installed in any version up to and including 3.0.1 are affected. No newer version numbers are listed in the current data, so any site with the vulnerable plugin must review patch availability.

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests that exploitation is unlikely but possible. The vulnerability is not yet listed in the CISA KEV catalog, meaning no widespread exploitation has been documented, but the stored XSS nature still permits persistent attacks. Attackers would most likely exploit the plug‑in via the content editor or similar input fields that accept user‑supplied data. Based on the description, it is inferred that the likely attack vector is through the editor interface or analogous page‑creation features, as these are the input points used to store content that is subsequently rendered to visitors. The absence of a high exploitation probability does not diminish the potential impact on users encountering the infected page.