CVE-2024-9994: 
WordPress vulnerability analysis and mitigation

The Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the eael_pricing_item_tooltip_content parameter of the Pricing Table Widget in versions up to 6.1.12. This vulnerability was discovered and disclosed on June 7, 2025 (NVD).

The vulnerability exists due to insufficient input sanitization and output escaping on user supplied attributes in the Pricing Table Widget's tooltip content parameter. The issue has been assigned a CVSS v3.1 base score of 6.4 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) (NVD, Wiz).

When exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These scripts will execute whenever a user accesses the affected page, potentially leading to theft of sensitive information or other client-side attacks (NVD).

Users should update to a version newer than 6.1.12 when available. Until an update is possible, it is recommended to restrict access to the Pricing Table Widget functionality to only trusted users (NVD).