The Enter Addons plugin is vulnerable to a stored cross‑site scripting flaw in its Countdown and Image Comparison widgets. Unsanitized user supplied attributes allow an authenticated contributor or higher to inject malicious scripts that are persisted in site content and executed whenever a page containing the widget is viewed by any visitor. The injected payload can run in the context of the site, enabling cookie theft, session hijacking, defacement, or other client‑side attacks.

All installations of the Enter Addons – Ultimate Template Builder for Elementor plugin with versions 2.2.7 or earlier running on WordPress are affected. Any user with contributor‑level access or higher can trigger the vulnerability. Host environments are unrestricted beyond the plugin’s version and user role.

The base score of 6.4 indicates a moderate severity. The EPSS score of less than 1 % suggests low current exploitation probability, and the flaw is not yet listed in the CISA KEV catalog. Exploitation requires authentication, so the attacker must first obtain at least contributor privileges. Once authenticated, the attacker can embed a script via the widget’s attribute fields which is then stored and executed for all users who view the affected page. No network‑bypass or elevated privileges are needed beyond the role ensuring a lower barrier to entry for the attacker but the impact is confined to the site’s front‑end execution context.