The code in the Animated Text field of the Typeout Widget in Ultra Addons Lite for Elementor versions up to 1.1.9 does not properly validate or escape user input. This deficiency allows an attacker with contributor or higher permissions to insert arbitrary JavaScript that is stored and rendered within page content. When a page containing the edited widget is viewed, the attacker’s script runs in the visitor’s browser, leading to theft of user data, session hijacking, defacement, or deflecting victim traffic. The weakness corresponds to CWE‑79, a classic reflected and stored XSS scenario.

Ultrapressorg Ultra Addons Lite for Elementor is affected when running version 1.1.9 or earlier. Modern installations (version 1.2.0 and above) contain the fix. Administrators should check the exact version in the WordPress plugin list and ensure the plugin is current or removed.

The CVSS score of 6.4 indicates moderate severity. The EPSS score of less than 1% suggests a very low current exploitation likelihood, and the vulnerability is not listed in the CISA KEV catalog. However, because the attack requires authenticated contributor‑level access, any site that allows contributors to edit content is at risk. Attackers can embed malicious scripts that execute in the browsers of all visitors to the affected page. The impact is limited to the scope of the site’s content rather than system-wide compromise. The likely attack vector is through the WordPress administrative interface, where a contributor can edit the Typeout Widget and submit malicious content, which is then stored and later rendered to all users.