Improper neutralization of user‑supplied content in ModelTheme Addons for WPBakery and Elementor allows a stored XSS attack. A malicious actor could inject scripts that execute in the browsers of site visitors who view pages rendering the vulnerable plugin content, potentially leading to cookie theft, session hijacking or defacement. The vulnerability is a classic Cross‑Site Scripting flaw classified as CWE‑79 and is active on any site that has not yet updated past version 1.5.6.

The affected product is the ModelTheme Addons for WPBakery and Elementor plugin, released by modeltheme. Versions from the earliest release up through 1.5.5 are vulnerable; the issue is fixed in version 1.5.6. No other vendors or products are listed.

The CVSS base score is 6.5, indicating a moderate severity. The EPSS score of less than 1% suggests a low likelihood of exploitation in the wild at present, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is via stored input in the plugin’s administrative interfaces, which an attacker can control if they have credentials with access to the plugin or can otherwise inject content into the plugin’s stored data. Successful exploitation would give the attacker the ability to run arbitrary scripts in the browsers of anyone who visits the affected site.