The vulnerability is an Improper Neutralization of Input During Web Page Generation flaw that allows attackers to store malicious scripts within the WordPress site via the Ultimate Store Kit Elementor Addons plugin. Stored XSS is the primary impact, enabling the attacker to run arbitrary JavaScript in the browsers of any visitor to the compromised site. This can lead to session hijacking, credential theft, defacement, or the delivery of malware, affecting the confidentiality, integrity, and availability of the site and its users. The weakness is indexed as CWE‑79 – a classic input‑validation issue.

This issue affects the bdthemes Ultimate Store Kit Elementor Addons plugin for WordPress. Any installation of the plugin with a version number of 2.8.6 or earlier is vulnerable. The plugin is used to add e‑commerce and Elementor extensions to WordPress sites. Users running these affected plugin versions should consider their installation at risk.

The CVSS score of 6.5 places the flaw in the Medium severity range, while the EPSS score of less than 1% indicates a low likelihood of widespread exploitation at this time. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation typically requires the attacker to inject malicious code into a content field that is later rendered by the plugin. This could be achieved through the WordPress admin interface or via any form that stores user‑supplied content. Once the script is stored, any visitor to the affected page will execute it, providing a straightforward attack path for attackers who can write to the site’s content.