CVE-2024-13445 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Elementor Website Builder plugin for WordPress, a widely used tool for designing and managing website pages. The vulnerability affects all versions up to and including 3.27.4. It stems from improper neutralization of input during web page generation, specifically in the handling of the border, margin, and gap parameters. These parameters are not sufficiently sanitized or escaped before being rendered on pages, allowing an authenticated attacker with Contributor-level or higher privileges to inject arbitrary JavaScript code. Because the malicious script is stored within the page content, it executes every time any user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability does not require user interaction beyond visiting the page and does not require elevated privileges beyond Contributor access, which is commonly granted to users who can create or edit content but not publish. The CVSS 3.1 base score is 6.4, reflecting medium severity with network attack vector, low attack complexity, and privileges required. The scope is changed because the vulnerability affects other users who view the page, not just the attacker. No public exploits have been reported yet, but the widespread use of Elementor and WordPress makes this a significant risk. The vulnerability is categorized under CWE-79, which covers improper input neutralization leading to XSS. The lack of patch links suggests a fix may not yet be publicly available, increasing urgency for mitigation.

This vulnerability allows attackers with relatively low privileges (Contributor or above) to inject persistent malicious scripts into web pages, which execute in the browsers of any visitors to those pages. The impact includes potential theft of authentication cookies, session hijacking, defacement of websites, redirection to malicious sites, and execution of further attacks such as phishing or malware delivery. Because the vulnerability affects a popular WordPress plugin used globally, many websites—ranging from small blogs to large corporate sites—are at risk. The compromise of user sessions can lead to unauthorized access to user accounts, data leakage, and erosion of user trust. Additionally, attackers could leverage this vulnerability as a foothold for further compromise within the affected web environment. The medium CVSS score reflects that while the attack requires some privileges, the ease of exploitation and the broad impact on confidentiality and integrity make it a significant threat. Availability is not impacted directly. The scope change indicates that the vulnerability affects users beyond the attacker, increasing its severity in multi-user environments.

1. Immediately restrict Contributor-level and higher privileges to trusted users only, minimizing the risk of malicious script injection. 2. Monitor and audit all content changes, especially those involving border, margin, and gap parameters, for suspicious or unexpected scripts. 3. Implement a Web Application Firewall (WAF) with robust XSS detection and blocking capabilities to filter malicious payloads before they reach the site. 4. Apply strict Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on the website. 5. Regularly update the Elementor plugin as soon as a security patch is released to address this vulnerability. 6. Use security plugins that sanitize user inputs and outputs beyond the default WordPress and Elementor capabilities. 7. Educate content contributors about safe content creation practices and the risks of injecting untrusted code. 8. Consider temporarily disabling or limiting the use of the affected parameters (border, margin, gap) if possible until a patch is available. 9. Conduct penetration testing and vulnerability scanning focused on XSS to detect any exploitation attempts or residual vulnerabilities.