The Master Addons For Elementor plugin for WordPress suffers from a stored cross-site scripting vulnerability due to improper neutralization of input in the 'jtlma_custom_js' page setting. Authenticated attackers with author-level access can bypass UI-level restrictions by sending crafted POST requests to admin-ajax.php?action=elementor_ajax, injecting malicious JavaScript that executes in the context of users viewing the affected pages. This vulnerability arises from insufficient input sanitization and output escaping, combined with a flawed enforcement of the unfiltered_html capability only during UI rendering but not during data saving.

An attacker with author-level privileges can inject persistent malicious JavaScript code into pages, which executes in the browsers of users who visit those pages. This can lead to theft of user credentials, session hijacking, or other malicious actions within the context of the affected site. The vulnerability does not affect availability but impacts confidentiality and integrity. The CVSS score of 6.4 reflects a medium severity with network attack vector, low attack complexity, and privileges required at the author level.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict author-level user privileges to trusted individuals only. Monitor for suspicious activity related to the 'jtlma_custom_js' setting and consider disabling or limiting the use of the Custom JS Extension feature if possible. Avoid granting unfiltered_html capabilities to users without full trust. Follow updates from the plugin vendor for an official patch or mitigation.