This vulnerability, identified as an XSS flaw, allows improper neutralization of input during web page generation within the Void Elementor WHMCS Elements For Elementor Page Builder plugin. An attacker who can inject user‑controlled content can cause arbitrary JavaScript to run in the context of the victim’s browser. This permits session hijacking, defacement, or redirection to malicious sites, compromising the confidentiality, integrity, and potentially the availability of the affected site.

The flaw affects installations of the Void Elementor WHMCS Elements For Elementor Page Builder plugin by voidthemes running on WordPress. All versions from the initial release through <= 2.0.1.2 are vulnerable. Site administrators deploying the plugin in any WordPress environment should assess whether their current version falls in this range.

The CVSS base score of 6.5 indicates a medium severity, while the EPSS score is less than 1% and the vulnerability is not listed in the CISA KEV catalog, suggesting a low immediate exploitation likelihood. The attack vector is inferred to be remote, exploiting any user or visitor able to inject content via the plugin’s interface; however, the description does not specify the exact entry point. No exploit code has been publicly disclosed, and no evidence of active exploitation has been reported.