This vulnerability involves improper input neutralization in the Primary Addon for Elementor plugin (versions ≤ 1.6.0), leading to stored cross-site scripting (XSS). An attacker with low privileges can inject malicious scripts that execute when other users view the affected content. The CVSS 3.1 vector indicates network attack vector, low attack complexity, required privileges are low, user interaction is required, scope is changed, and impacts confidentiality, integrity, and availability to a low degree. No patch or official fix is currently documented.

Successful exploitation could allow an attacker to execute arbitrary scripts in the context of the affected website, potentially leading to data disclosure, modification, or disruption of service. The impact is rated medium due to the requirement for user interaction and low privileges but with a changed scope affecting confidentiality, integrity, and availability at a low level.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should consider restricting access to the plugin features that accept user input or apply web application firewall (WAF) rules to detect and block XSS payloads. Monitor official nicheaddons communications for updates and apply patches promptly once released.