The WPoperation Elementor Addons plugin for WordPress contains a stored cross-site scripting vulnerability due to improper input neutralization during web page generation. This flaw allows an attacker with low privileges to inject malicious scripts that execute when a user interacts with the affected content, potentially impacting confidentiality, integrity, and availability to a limited extent. The vulnerability affects all versions up to 1.1.9. The CVSS 3.1 base score is 6.5, reflecting network attack vector, low attack complexity, required privileges, user interaction, and partial impact on security properties. No patch or vendor advisory has been provided to confirm remediation status.

Successful exploitation of this stored XSS vulnerability could allow an attacker to execute arbitrary scripts in the context of affected users, potentially leading to limited disclosure of information, modification of data, or disruption of service. The attack requires user interaction and low privileges, limiting the scope but still posing a risk to site users and administrators. There are no known active exploits reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider restricting user input capabilities, applying web application firewall (WAF) rules to detect and block XSS payloads, and limiting privileges of users who can submit content. Monitor vendor channels for updates and apply patches promptly once released.