Impact
Unauthenticated cross‑site scripting has been discovered in the WPZOOM Addons for Elementor WordPress plugin, affecting all releases up to and including version 1.3.4. The flaw allows an attacker to inject arbitrary client‑side code that will execute in the browsers of visitors who load a page rendering the plugin.
Affected Systems
The issue impacts the WPZOOM Addons for Elementor plugin, which is installed on WordPress sites that use the Elementor page builder. All installations running plugin version 1.3.4 or earlier are affected.
Risk and Exploitability
The CVSS base score of 7.1 indicates a medium‑to‑high risk. Based on the description, it is inferred that the attack can be performed by an unauthenticated user over a network, potentially via crafted URLs or content that triggers the plugin’s processing. EPSS data is not available, so the likelihood of exploitation cannot be quantified. The vulnerability is not listed in the CISA KEV catalog.
OpenCVE Enrichment