CVE-2024-12851 is a stored cross-site scripting vulnerability identified in the bdthemes Element Pack Elementor Addons plugin for WordPress, specifically impacting the Header Footer, Template Library, Dynamic Grid, Carousel, and Remote Arrows components. The vulnerability stems from improper neutralization of input (CWE-79) in the custom_attributes parameter of the Cookie Consent Widget, where insufficient sanitization and output escaping allow malicious script injection. Authenticated attackers with Contributor-level privileges or higher can exploit this flaw by injecting arbitrary JavaScript code that is persistently stored and executed in the context of any user visiting the affected page. This can lead to session hijacking, privilege escalation, or defacement. The vulnerability is exploitable remotely over the network without user interaction but requires authenticated access, which lowers the attack complexity. The CVSS 3.1 base score of 6.4 reflects a medium severity with network attack vector, low attack complexity, privileges required, no user interaction, and partial confidentiality and integrity impacts. No patches or official fixes are currently linked, and no known exploits have been observed in the wild. The vulnerability affects all versions up to and including 5.10.14 of the plugin. Given the widespread use of WordPress and Elementor-based plugins, this vulnerability poses a significant risk to websites using this addon for cookie consent and page elements.

The primary impact of CVE-2024-12851 is the potential for attackers with limited authenticated access to inject persistent malicious scripts into web pages, which execute in the browsers of site visitors. This can lead to session hijacking, theft of sensitive user data, unauthorized actions performed on behalf of users, and website defacement. For organizations, this can result in reputational damage, loss of customer trust, and potential regulatory penalties if user data is compromised. Since the vulnerability requires Contributor-level access, attackers may exploit weak or compromised credentials or leverage other vulnerabilities to gain such access. The scope includes all websites using the affected plugin versions, which may be numerous given the popularity of WordPress and Elementor addons. Although no known exploits are reported yet, the ease of exploitation and the persistent nature of stored XSS make this a credible threat. The vulnerability does not impact availability but compromises confidentiality and integrity, which can have cascading effects on organizational security posture.

Organizations should immediately verify if they use the bdthemes Element Pack Elementor Addons plugin, specifically versions up to 5.10.14. Since no official patch links are provided, administrators should monitor bdthemes and WordPress security advisories for updates or patches addressing this issue. In the interim, restrict Contributor-level and higher privileges to trusted users only and enforce strong authentication mechanisms, including multi-factor authentication, to reduce the risk of account compromise. Implement web application firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the custom_attributes parameter. Review and sanitize all user-generated content inputs rigorously, especially in the Cookie Consent Widget. Consider disabling or replacing the vulnerable widget or plugin components if patching is not immediately possible. Conduct regular security audits and penetration testing focusing on XSS vectors. Educate site administrators and developers on secure coding practices and the risks of stored XSS. Finally, monitor logs and user reports for signs of exploitation or unusual activity related to this vulnerability.