CVE-2024-13155 is a stored cross-site scripting vulnerability (CWE-79) in the Unlimited Elements For Elementor WordPress plugin, specifically in the Transparent Split Hero widget. The flaw results from improper neutralization of input during web page generation, allowing authenticated users with contributor or higher privileges to inject malicious scripts via user-supplied attributes. These scripts execute in the context of any user viewing the compromised page. The vulnerability affects all versions up to 1.5.140. Due to the widget code being separate from the main plugin, remediation involves manually deleting and reinstalling the affected widget rather than a simple plugin update. No official patch or automated fix is currently documented.

An attacker with contributor-level access or higher can inject persistent malicious scripts into pages using the Transparent Split Hero widget. This can lead to execution of arbitrary JavaScript in the context of users viewing the page, potentially resulting in session hijacking, defacement, or other client-side attacks. The vulnerability does not affect unauthenticated users directly and requires at least contributor privileges to exploit. There is no indication of impact to availability or server-side data compromise.

No official patch or automated fix is currently available. The vendor notes that to remediate this vulnerability, the affected Transparent Split Hero widget must be manually deleted and reinstalled. Users should perform this manual remediation to remove the vulnerable widget code. Until this is done, restrict contributor-level access to trusted users only. Monitor vendor advisories for any forthcoming official patches or updates.