CVE-2024-1235 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79 found in the Elementor Addons by Livemesh plugin for WordPress. This vulnerability exists in all versions up to and including 8.3.2 due to improper neutralization of input during web page generation. Specifically, the plugin fails to adequately sanitize and escape user input submitted through the custom class field, allowing authenticated users with contributor-level privileges or higher to inject arbitrary JavaScript code. When a victim accesses a page containing the injected script, the malicious code executes in their browser context, potentially leading to session hijacking, privilege escalation, or other malicious actions performed with the victim's privileges. The vulnerability requires authentication but no user interaction beyond viewing the compromised page. The CVSS 3.1 base score of 6.4 reflects a network attack vector with low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No public exploits have been reported, but the vulnerability poses a significant risk to WordPress sites using this plugin, especially those allowing contributor-level users to edit content. The lack of available patches at the time of disclosure necessitates immediate mitigation steps.

The primary impact of this vulnerability is the potential compromise of user confidentiality and integrity on affected WordPress sites. An attacker with contributor or higher privileges can inject persistent malicious scripts that execute in the browsers of any users viewing the infected pages, including administrators or other privileged users. This can lead to session hijacking, theft of sensitive information such as cookies or credentials, unauthorized actions performed on behalf of victims, and potential spread of malware. Although availability is not directly affected, the reputational damage and trust loss from such attacks can be significant. Organizations relying on the Elementor Addons by Livemesh plugin are at risk of targeted attacks, especially if contributor roles are assigned to untrusted users or if the site has high traffic. The vulnerability could be leveraged in broader attack campaigns to compromise multiple sites or users. Given WordPress's widespread use globally, the impact can be extensive if not addressed promptly.

1. Immediately restrict contributor and higher privileges to trusted users only, minimizing the risk of malicious input. 2. Implement strict input validation and output encoding on the custom class field at the application level if possible, using security plugins or custom code to sanitize inputs before saving or rendering. 3. Monitor and audit content changes made by contributors for suspicious or unexpected script injections. 4. Employ Web Application Firewalls (WAFs) with rules targeting stored XSS patterns specific to this plugin's custom class field. 5. Disable or remove the Elementor Addons by Livemesh plugin temporarily if patching is not yet available and the risk is high. 6. Keep WordPress core and all plugins updated and subscribe to vendor security advisories for timely patch releases. 7. Educate site administrators and content editors about the risks of XSS and safe content management practices. 8. Use Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on the site. These measures combined can reduce the attack surface and mitigate exploitation until an official patch is released.