The Elementor Website Builder plugin improperly neutralizes input during web page generation, specifically in the _elementor_data meta field. This occurs because the plugin registers this meta field with show_in_rest but does not specify a sanitize_callback, relying instead on a rest_pre_insert_post filter that only sanitizes JSON-encoded request bodies. When a contributor sends a form-encoded PATCH request, json_decode() fails, causing sanitization to be skipped. Unsanitized data is stored via update_post_meta() and later output without escaping in multiple widget sinks, including the HTML widget's print_unescaped_setting() function. This allows authenticated contributors or higher to inject stored XSS payloads that execute in users' browsers when viewing the affected pages.

An attacker with contributor-level or higher privileges can inject malicious JavaScript into pages via the REST API, which is then stored and executed in the context of any user viewing those pages. This can lead to theft of user credentials, session hijacking, or other malicious actions performed in the victim's browser. The vulnerability does not affect availability and requires authentication, limiting its scope. No known active exploitation has been reported.

No official patch or remediation is currently available. Users should monitor the vendor's advisory channels for updates. Until a fix is released, restrict contributor-level access to trusted users only and consider disabling or limiting REST API access if feasible. Review and sanitize any user-generated content manually where possible. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.