This vulnerability in ElementInvader Addons for Elementor (<= 1.3.3) involves improper input neutralization during web page generation, leading to stored cross-site scripting (XSS). An attacker with low privileges can inject malicious scripts that execute when a user interacts with the affected content, potentially compromising confidentiality, integrity, and availability to a limited extent. The CVSS 3.1 vector indicates network attack vector, low attack complexity, privileges required, user interaction required, and scope changed. No patch or vendor advisory is currently provided, and the product is not a cloud service.

Successful exploitation could allow an attacker to execute arbitrary scripts in the context of the affected web application, potentially leading to partial disclosure of information, modification of data, and disruption of availability. The impact is limited by the requirement for user interaction and low privileges, but the scope is changed, meaning the vulnerability affects resources beyond the initially vulnerable component.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should exercise caution with this plugin, restrict privileges where possible, and avoid interacting with untrusted content that may trigger the vulnerability. Monitor vendor channels for updates or patches addressing this issue.