The Xpro Addons plugin for Elementor has a stored cross‑site scripting flaw in the Icon Box widget. Input supplied by any authenticated user with contributor or higher privileges is stored without proper sanitization or escaping, allowing arbitrary JavaScript to be embedded in the page content. Attackers can use this to execute client‑side scripts whenever a victim visits the page, potentially hijacking sessions, defacing content, or executing further malicious actions within the browser context. The weakness is identified as CWE‑79.

The vulnerability affects the Xpro Addons — 140+ Widgets for Elementor plugin for WordPress, specifically versions up to and including 1.4.24.

The CVSS score for the vulnerability is 6.4, indicating medium severity. EPSS data and CISA KEV status are unavailable, suggesting that the exploit is not currently listed in known exploited vulnerability catalogs. The attack requires authenticated access with at least contributor rights; an attacker can then inject a payload that will be executed by any user who views the affected page. The impact would be confined to users who view the page, but within that scope, it could compromise confidentiality and integrity of user sessions and the site’s UI. Due to the lack of public exploits and the need for authentication, the immediate risk is moderate, but it is still actionable.