Element Invader Addons for Elementor contains an improper neutralization of input during page generation, allowing an attacker to store and inject malicious scripts that execute when users view the affected page. The stored cross‑site scripting can be used to steal session information, deface content, or redirect users to phishing sites, compromising confidentiality and integrity of site data.

WordPress sites that use Element Invader's ElementInvader Addons for Elementor plugin version 1.3.5 or earlier are vulnerable. Any installation of the plugin from its initial release up to and including 1.3.5 is affected. The vulnerability is not limited to a specific WordPress version or theme and may impact sites where site administrators or trusted users have plugin editing capabilities.

The CVSS base score of 6.5 indicates moderate severity, while the EPSS score of less than 1% reflects a very low probability of exploitation at the time of this assessment. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. The likely attack vector is through the plugin's input or settings fields accessible in the WordPress administration interface, requiring an authenticated user with sufficient privileges, or through malicious content inserted by a user with such access. An attacker could then embed arbitrary JavaScript that will run in the browsers of any visitors to the site.