Attack Vectors

WPZOOM Addons for Elementor – Starter Templates & Widgets (slug: wpzoom-elementor-addons) has a Medium severity vulnerability (CVSS 6.1, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) affecting versions up to and including 1.3.4. The issue is an unauthenticated reflected cross-site scripting (XSS) flaw via the ‘title_tag’ parameter.

Because it is unauthenticated (no login required) and network-reachable, an attacker can craft a link that includes malicious script content in the request. The attacker’s practical route is typically social engineering: sending a link through email, chat, or a marketing workflow (for example, a “preview” or “report” link) and relying on a user to click it (the CVSS vector indicates UI:R – user interaction is required).

This is especially relevant for organizations where marketing, content, and web teams routinely open external links (press, partners, agencies, campaign review) and where browser sessions may already be authenticated to the WordPress site or related tools.

Security Weakness

The vulnerability exists due to insufficient input sanitization and output escaping for the ‘title_tag’ parameter in affected versions. In simple terms, the plugin may accept attacker-controlled text and then reflect it back into a page in a way that a browser can interpret as script.

This is a classic web application weakness: when user-supplied input is not properly handled, it can be rendered as active content. The published remediation is to update WPZOOM Addons for Elementor – Starter Templates & Widgets to version 1.3.5 or newer, which contains the fix (per the vendor/community advisory source).

Reference source: Wordfence vulnerability entry.

Technical or Business Impacts

Reflected XSS commonly leads to session and browser-based abuse when a victim loads the crafted URL. While the impact depends on what the victim can access, the business risk tends to be highest when the victim is an authenticated user (for example, a marketer, site editor, or administrator).

Potential impacts for marketing leaders and executives include:

Account and workflow disruption: scripts executed in a victim’s browser can enable actions in the context of that user’s session, potentially affecting publishing workflows, landing pages, or site configuration (depending on permissions and what the browser can access).

Data exposure risk: the CVSS score indicates low confidentiality and integrity impact (C:L/I:L), meaning there is plausible exposure or manipulation of some information or content in the victim’s context, even if it may not result in full site takeover by itself.

Brand and compliance consequences: even a medium-severity web injection issue can trigger customer concern, internal incident handling, and reporting obligations (depending on jurisdiction and the nature of the data involved), and it can undermine trust in digital campaigns and web properties.

Operational costs: time spent on incident triage, forced password resets, campaign pauses, and emergency change windows can directly impact revenue targets and planned launches.

Similar Attacks

Reflected XSS is a common and recurring class of issue across popular web software and dependencies. One widely cited example is the jQuery XSS family of vulnerabilities that affected many sites and products that embedded older library versions:

CVE-2020-11022 (jQuery) – XSS vulnerability in jQuery before 3.5.0