CVE-2024-13155 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, found in the Unlimited Elements For Elementor plugin for WordPress. The vulnerability specifically resides in the Transparent Split Hero widget, affecting all versions up to and including 1.5.140. The root cause is insufficient sanitization and escaping of user-supplied input attributes, which allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. This malicious code is stored persistently and executed in the context of any user who visits the compromised page, potentially enabling session hijacking, privilege escalation, or defacement. Exploitation does not require user interaction but does require authenticated access at contributor level or above, limiting the attack surface to insiders or compromised accounts. The widget code is separate from the main plugin codebase, so applying the patch involves manually deleting and reinstalling the Transparent Split Hero widget. The vulnerability has a CVSS v3.1 score of 6.4, indicating medium severity, with an attack vector of network, low attack complexity, and no user interaction required. No known exploits are reported in the wild as of the publication date. This vulnerability highlights the risks of insufficient input validation in WordPress plugins, especially those that allow user-generated content or attributes.

The impact of CVE-2024-13155 is primarily on the confidentiality and integrity of affected WordPress sites. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of site visitors, potentially stealing session cookies, performing actions on behalf of users, or delivering further malware. This can lead to account takeover, defacement, or loss of user trust. Since the vulnerability requires authenticated access, the risk is somewhat mitigated by proper user role management, but insider threats or compromised contributor accounts remain a concern. The vulnerability does not affect availability directly but can indirectly cause service disruption through defacement or administrative lockout. Organizations relying on the Unlimited Elements For Elementor plugin, especially those with multiple contributors or public-facing WordPress sites, face increased risk of targeted attacks or automated exploitation attempts once the vulnerability becomes widely known. The need for manual widget reinstallation complicates patch management and may delay remediation, increasing exposure time.

To mitigate CVE-2024-13155, organizations should first restrict contributor-level access to trusted users only, minimizing the risk of malicious script injection. Site administrators must manually delete and reinstall the Transparent Split Hero widget to apply the patch, as the vulnerable widget code is not included in the main plugin update. It is critical to verify that the widget version is updated to a non-vulnerable release before re-enabling it on live sites. Additionally, implementing a Web Application Firewall (WAF) with rules to detect and block XSS payloads can provide a temporary layer of defense. Regularly auditing user roles and permissions, enforcing strong authentication, and monitoring for unusual content changes or injected scripts will help detect exploitation attempts. Site owners should also keep all WordPress core and plugins updated and consider disabling or removing unused widgets and plugins to reduce the attack surface. Finally, educating contributors about safe content practices and the risks of XSS can reduce accidental exploitation.