The issue involves the accidental insertion of sensitive information into data sent by the WPVibes Elementor Addon Elements plugin. Attackers who can interact with the plugin’s outputs can retrieve confidential data that was never intended for public exposure. This is classed as a CWE‑201 vulnerability, which describes insecure data handling that results in information disclosure. No arbitrary code execution or denial of service is possible; the impact is limited to the unintended reveal of sensitive data, potentially compromising application integrity or user privacy.

WordPress sites that have installed the Elementor Addon Elements plugin from any unsupplied version through version 1.14.4 are affected. The vulnerability exists across all platform configurations that enable the plugin to process and return data to end users, including those that may expose configuration values or user credentials.

The CVSS score of 6.5 indicates a moderate severity, and the EPSS score of less than 1% suggests a very low likelihood of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to trigger the plugin’s data output mechanism—most likely through normal user interactions or crafted HTTP requests—to read the exposed data. Because the data is publicly sent by the plugin, once the exploit is known, exposure can affect any user of the compromised site. The lack of remote code execution limits the damage vector, but confidentiality is still at risk.