Impact
The vulnerability allows an authenticated WordPress user with contributor-level access to inject arbitrary scripts into the ‘marker_content’ field of the Open Street Map widget in Element Pack. The plugin fails to sanitize or escape this input, storing the payload in the database. When a page containing the malicious marker is viewed, the script runs in the visitor’s browser, enabling cookie theft, session hijacking, defacement or other client‑side attacks. The weakness is classified as CWE‑79.
Affected Systems
Vulnerable versions of bdthemes Element Pack – Widgets, Templates & Addons for Elementor Lite, up to and including 8.1.5, are affected. The plugin is deployed on WordPress sites that use this component.
Risk and Exploitability
The CVSS score of 5.4 reflects moderate severity. The EPSS score of 3 % indicates a low probability of exploitation in the short term. This issue is not listed in the CISA KEV catalog. Attackers must first authenticate to the WordPress admin interface with at least contributor privileges to add or edit the Open Street Map widget. After saving malicious marker content, all users who view the page are exposed to the injected script. The described attack vector requires legitimate WordPress access and is therefore limited to users with sufficient editorial rights.
OpenCVE Enrichment
EUVD