The Essential Addons for Elementor Pro plugin for WordPress contains a stored cross-site scripting vulnerability (CWE-79) in its Team Member Carousel widget due to improper neutralization of input during web page generation. Authenticated users with contributor-level privileges or higher can inject arbitrary scripts via insufficiently sanitized user input, which then execute in the context of any user viewing the compromised page. This vulnerability affects all Pro versions up to and including 5.8.14. The CVSS 3.1 vector indicates network attack vector, low attack complexity, privileges required at low level, no user interaction, and impacts confidentiality and integrity with no availability impact.

An attacker with contributor-level access or higher can exploit this vulnerability to inject malicious scripts that execute in the browsers of users who visit the affected pages. This can lead to unauthorized actions such as session hijacking, defacement, or theft of sensitive information accessible via the browser context. The impact is limited to confidentiality and integrity, with no direct availability impact. Since the vulnerability requires authenticated access, the attack surface is somewhat limited but still significant in environments where multiple users have contributor or higher roles.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, administrators should consider restricting contributor-level access or higher to trusted users only and monitor for suspicious activity related to the Team Member Carousel widget. Avoid using the affected widget if possible. Follow updates from the Essential Addons vendor for an official patch or mitigation instructions.