The Elementor Page Builder plugin prior to 2.8.4 for WordPress does not sanitize data during creation of a new template.
elementor website builder
Vulmon