This vulnerability resides in the PowerPack Addons for Elementor plugin and is classified as CWE‑79 (Improper Neutralization of Input During Web Page Generation). The flaw allows a stored cross‑site scripting (XSS) response because the plugin accepts unsanitized input that is rendered in a website page. The likely attack vector involves an authenticated user with content‑creation permissions entering malicious code into an allowed field. The probable impact is that site visitors who view the compromised page could have their session cookies hijacked, deface the site, or be redirected, compromising confidentiality, integrity, and potentially availability. This statement about the consequences is inferred from typical stored XSS outcomes, as the official description does not detail the specific result.

The affected product is IdeaBox Creations PowerPack Addons for Elementor. All plugin versions from the earliest available (n/a) through 2.9.9 are impacted, as indicated by the CVE description. WordPress sites that have installed and activated this plugin within that version range are potentially affected.

The CVSS score of 6.5 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the near term. The vulnerability is not listed in the CISA KEV catalog. From the description, the vulnerability can be exploited by submitting malicious content via the plugin’s input fields; the attacker does not require elevated privileges beyond those provided to a content‑authoring user.