The Elementor Website Builder plugin for WordPress contains a stored cross-site scripting vulnerability (CWE-79) in its Text Path widget. This vulnerability is due to improper neutralization of user input when generating SVG markup, allowing authenticated attackers with contributor-level permissions or higher to inject malicious scripts into pages. These scripts execute in the context of any user viewing the affected page, potentially leading to session hijacking or other script-based attacks. The vulnerability affects all versions up to and including 3.33.3. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, required privileges at the contributor level, no user interaction needed, and impacts on confidentiality and integrity but not availability. No patch or official fix information is currently available.

An attacker with contributor-level or higher access can inject persistent malicious scripts into pages via the Text Path widget. These scripts execute in the browsers of users who visit the infected pages, potentially allowing theft of sensitive information or unauthorized actions within the context of the affected site. The impact is limited to confidentiality and integrity, with no direct availability impact. The requirement for authenticated access reduces the risk to some extent but does not eliminate it, especially on sites with multiple contributors.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, site administrators should restrict contributor-level access to trusted users only and consider disabling or limiting use of the Text Path widget. Monitoring for unusual script injections in page content may help detect exploitation attempts. Once a vendor patch or update is available, apply it promptly to remediate the vulnerability.