The Sky Addons – Elementor Addons with Widgets & Templates WordPress plugin suffers from a stored cross-site scripting vulnerability (CWE-79) due to improper neutralization of input in the wrapper link URL attribute. This allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. The injected scripts execute in the context of users who visit the compromised pages, potentially leading to session hijacking or other client-side attacks. The vulnerability affects all versions up to and including 2.4.0. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, required privileges at the contributor level, no user interaction, and impacts on confidentiality and integrity with no availability impact. No vendor advisory or patch information is currently available.

An attacker with contributor-level or higher permissions can inject persistent malicious scripts into pages via the wrapper link URL attribute. These scripts execute in the browsers of users who view the affected pages, potentially compromising user sessions or performing unauthorized actions within the context of the victim's browser. The impact is limited to confidentiality and integrity, with no direct availability impact. The vulnerability requires authenticated access, reducing the attack surface compared to unauthenticated vulnerabilities.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict contributor-level permissions to trusted users only and consider disabling or limiting use of the Sky Addons plugin features that accept user-supplied URLs. Monitor for updates from the vendor and apply patches promptly once released.