CVE-2024-11367 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the Smoove connector for Elementor forms, a WordPress plugin developed by matansmoove. The vulnerability stems from the improper neutralization of input during web page generation, specifically due to the use of the WordPress function add_query_arg without appropriate escaping of URL parameters. This flaw exists in all versions up to and including 4.1.0. Because of this, an unauthenticated attacker can craft a malicious URL containing arbitrary JavaScript code. When a victim clicks on this URL, the injected script executes in the context of the vulnerable website, potentially allowing the attacker to steal session cookies, perform actions on behalf of the user, or redirect the user to malicious sites. The vulnerability requires no authentication but does require user interaction (clicking a malicious link). The CVSS v3.1 base score is 6.1, reflecting a medium severity with a network attack vector, low attack complexity, no privileges required, user interaction required, and a scope change due to potential impact beyond the vulnerable component. No public exploits have been reported yet, but the vulnerability is publicly disclosed and should be considered a risk for all sites using the affected plugin versions. The CWE classification is CWE-79, indicating improper input neutralization leading to XSS.

The primary impact of this vulnerability is on the confidentiality and integrity of user data and sessions on affected websites. Successful exploitation can lead to session hijacking, theft of sensitive information such as cookies or credentials, unauthorized actions performed on behalf of users, and potential redirection to malicious websites. For organizations, this can result in compromised user accounts, reputational damage, loss of customer trust, and potential regulatory penalties if user data is exposed. Since the vulnerability is reflected XSS, it requires user interaction, which somewhat limits mass exploitation but targeted phishing campaigns could be effective. The scope of affected systems includes any WordPress site using the Smoove connector for Elementor forms plugin up to version 4.1.0, which may be widespread given Elementor's popularity. The vulnerability does not affect availability directly but can be leveraged as part of broader attack chains. Organizations relying on this plugin for form handling are at risk, especially those with high user interaction or sensitive data collection through forms.

To mitigate this vulnerability, organizations should first check if they are using the Smoove connector for Elementor forms plugin and identify the version. Immediate action is to update the plugin to a version where the vulnerability is patched once available. If no patch is currently released, temporary mitigations include disabling the plugin or the affected form functionalities to prevent exploitation. Web application firewalls (WAFs) can be configured to detect and block suspicious query parameters or known attack patterns related to reflected XSS. Additionally, site administrators should implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Educating users to avoid clicking suspicious links can reduce risk from phishing attempts. Developers should review and sanitize all user inputs and ensure proper escaping when using functions like add_query_arg. Regular security audits and monitoring for unusual activity on affected sites are recommended until the vulnerability is fully remediated.