Elementor Website Builder < 4.0.5 - Contributor+ Stored XSS via REST API

Description

The plugin is vulnerable to Stored Cross-Site Scripting via the _elementor_data meta field due to insufficient input sanitization when processing form-encoded REST API requests. The plugin registers the _elementor_data meta field with show_in_rest but omits a sanitize_callback, relying instead on a rest_pre_insert_post filter (sanitize_post_data function) that only sanitizes JSON-encoded request bodies. When a contributor sends a form-encoded PATCH request to the WordPress REST API, the json_decode() call on the raw body returns null, causing all sanitization to be skipped. The unsanitized data is then stored via update_post_meta() and later output without escaping through multiple widget sinks including the HTML widget's print_unescaped_setting() function. This makes it possible for authenticated attackers with Contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.