The Plus Addons for Elementor plugin for WordPress was vulnerable to Authenticated (Contributor+) Stored Cross-Site Scripting via the Button widget's custom_attributes setting in versions up to and including 6.4.11. The render function in modules/widgets/tp_button.php passed the raw custom_attributes string through tp_senitize_js_input(). This filter is bypassable. The issue is patched in version 6.4.12.