The vulnerability exists in Qi Addons For Elementor plugin for WordPress, affecting all versions up to 1.9.1. Insufficient input sanitization and output escaping allows an attacker who can add or edit content—any user with Contributor or higher role—to store malicious JavaScript in plugin‑managed fields. When a page containing the injected data is later loaded by another visitor, the script executes in that visitor’s browser, enabling session hijacking, credential theft, or defacement. This is a classic stored cross‑site scripting (CWE‑79) flaw.

Affected systems are WordPress sites that have the Qi Addons For Elementor plugin installed and running a vulnerable version (1.9.1 or earlier). The vendor is qodeinteractive, and the product is Qi Addons For Elementor. These sites typically rely on the plugin to add advanced elements to pages, and the vulnerability lives within server‑side stored content that is rendered back to visitors.

The CVSS score of 6.4 reflects moderate severity, and the EPSS score of less than 1 % suggests a low current exploitation probability. The flaw is not listed in CISA’s KEV catalogue. Exploitation requires the attacker to be authenticated with at least Contributor access, so the threat surface is limited to trusted users or compromised contributor accounts. Nonetheless an attacker who gains such an account can place malicious payloads that will run for every visitor to the affected page, providing ample opportunities for phishing, credential stealing, or spreading further malware.