The vulnerability is an improper neutralization of input that permits a DOM‑based XSS attack. Because the plugin fails to sanitize data before inserting it into a web page, the likely attack vector is embedding malicious JavaScript into a URL or form that a visitor sees. If executed, the script runs within the victim’s browser session and can modify page content, harvest session cookies, or launch phishing attacks, thereby compromising confidentiality, integrity, and potentially availability of the site’s content.

The affected product is the ElementInvader Addons for Elementor WordPress plugin, offered by Element Invader. All releases from the earliest version up to and including 1.3.6 are vulnerable, as the issue was present in every build until the cutoff release.

The CVSS score of 6.5 indicates moderate severity, while an EPSS score of less than 1 % suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that attackers would need to entice a victim to visit a specially crafted URL or input that triggers the vulnerable code, which typically requires user interaction. The likely attack vector is a victim accessing a specially crafted URL or form input. Because the flaw resides in client‑side script handling, it can be exploited from any remote attacker with internet access that can reach the site.