Impact
JetWidgets For Elementor for WordPress contains a stored cross‑site scripting flaw when the Animated Box widget’s animation_effect option is saved. The plugin does not escape or validate this value before injecting it into an HTML class attribute. As a result, an attacker with author or higher privileges can insert arbitrary JavaScript that will run whenever anyone views the edited page. Based on the description, it is inferred that this injected script could compromise the confidentiality, integrity and availability of users who access the affected content.
Affected Systems
Any WordPress site that has JetWidgets For Elementor installed, version 1.0.21 or earlier, is vulnerable.
Risk and Exploitability
The CVSS score of 6.4 indicates moderate to high severity. The EPSS score is not available, so the latest statistical likelihood of exploitation cannot be quantified. The vulnerability is not currently listed in the CISA KEV catalog. Exploitation requires authenticated author‑level access; the attack vector is not remote but relies on legitimate WordPress privileges. Because malicious scripts execute on page load, it is inferred that the potential damage in terms of data theft or session hijacking could be significant for the site’s user base.
OpenCVE Enrichment