Impact
The Plus Addons for Elementor plugin contains a stored cross‑site scripting flaw that enables an authenticated user with a Contributor role or higher to inject arbitrary JavaScript through the custom script parameter in all versions up to 6.3.10, even when the unfiltered_html capability is disabled. An attacker who can write or edit content can embed malicious code that will execute whenever any visitor views the affected page, potentially compromising user sessions and data.
Affected Systems
The vulnerability affects all WordPress sites running the Plus Addons for Elementor plugin from its initial release through version 6.3.10, issued by the vendor Posimyththemes. The flaw is present in the core widget code and page template configuration. Site administrators must check any installation that uses this plugin version and be aware that any user with Contributor or higher permissions is a threat actor.
Risk and Exploitability
The CVSS score of 6.4 indicates moderate severity, and the EPSS score of < 1% suggests a low probability of exploitation under normal circumstances. However, the flaw can be exploited by anyone who can add or edit Elementor content, and the attack does not require unauthenticated access. Because the vulnerability is stored, it affects all visitors who load the compromised page. The bug is not currently listed in the CISA KEV catalog, but site owners are advised to monitor threat feeds for emerging exploitation activity.
OpenCVE Enrichment
EUVD