The Responsive Addons for Elementor plugin is vulnerable to stored cross‑site scripting because it fails to sanitize or escape user‑supplied attributes in multiple widgets. Authenticated attackers with contributor level access or higher can inject arbitrary JavaScript that will execute whenever a page containing the malicious widget is viewed. Based on the nature of stored XSS, the injected script could potentially be used to hijack user sessions, steal credentials, or deface page content; these consequences are inferred from common XSS impact scenarios rather than explicitly stated in the CVE description.

The vulnerability affects the Responsive Addons for Elementor WordPress plugin for all releases up to and including version 2.0.1. Any site that has this plugin installed prior to a later update is potentially exposed; administrators should verify the installed version and confirm it is not within the affected range.

The CVSS score of 6.4 indicates a medium severity threat, and the EPSS score of less than 1% suggests that exploitation is currently rare. It is not listed in the CISA KEV catalog. Attackers would need to authenticate to the WordPress administrative interface with contributor or higher privileges, so the primary vector is through legitimate site management activity. Despite the low exploitation probability, any compromised contributor account can inject malicious content, making prompt remediation advisable.