Name of the Vulnerable Software and Affected Versions:

Elementor Website Builder – More Than Just a Page Builder plugin for WordPress versions prior to 3.30.3

Description:

The Elementor Website Builder plugin for WordPress is susceptible to Stored Cross-Site Scripting via the `data-text` DOM element attribute in the Text Path widget due to insufficient input sanitization and output escaping. This allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the injected page. This issue affects only Chrome and Edge browsers.

Recommendations:

Update Elementor Website Builder – More Than Just a Page Builder plugin for WordPress to version 3.30.3 or later.