This vulnerability in the Primary Addon for Elementor plugin (versions ≤ 1.5.7) allows stored cross-site scripting due to improper input neutralization during web page generation. An attacker with low privileges and requiring user interaction can inject malicious scripts that execute in the context of other users, potentially impacting confidentiality, integrity, and availability. The CVSS 3.1 vector is AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L, reflecting network attack vector, low attack complexity, low privileges required, user interaction needed, scope changed, and low impact on confidentiality, integrity, and availability.

Successful exploitation could allow an attacker to execute arbitrary scripts in the context of other users, potentially leading to partial disclosure of information, modification of data, or disruption of service. The impact is limited by the requirement of low privileges and user interaction. There are no reports of active exploitation in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should exercise caution with user input and consider disabling or restricting use of the affected plugin version. Monitor vendor channels for updates and apply patches promptly once released.