The vulnerability is a DOM‑based Cross‑Site Scripting flaw caused by improper neutralization of user input during web page generation. When a malicious query string or input value is processed by the X Addons for Elementor plugin, it can inject arbitrary JavaScript that runs in the context of a visitor’s browser. This enables attackers to perform session hijacking, defacement, phishing, or downstream attacks without needing to exploit server‑side code.

The affected vendor is pencilwp, product X Addons for Elementor. All releases up to and including version 1.0.23 are impacted; the vulnerability is present from the initial release through 1.0.23.

The CVSS score is 6.5, indicating moderate severity. Based on the description, the likely attack vector is a client‑side exploitation requiring victim interaction with a crafted URL or malicious input. The EPSS score is under 1% and the CVE is not listed in the CISA KEV catalog, indicating a low probability of exploitation in the wild. Attackers would need to entice a victim to load a malicious link or provide input that the plugin processes, after which arbitrary JavaScript can execute in the visitor’s browser. This path requires no server‑side compromise and relies solely on the browser context of the exposed site.