CVE-2024-13547 is a stored cross-site scripting vulnerability classified under CWE-79, found in the aThemes Addons for Elementor plugin for WordPress. This plugin extends Elementor’s functionality, widely used for building WordPress websites. The vulnerability specifically affects the Image Accordion widget, where insufficient sanitization of user input and lack of proper output escaping allow malicious scripts to be stored in the website’s content. An attacker with Contributor-level privileges or higher can exploit this by injecting arbitrary JavaScript code into pages. When other users visit these pages, the malicious scripts execute in their browsers, potentially compromising their sessions or enabling further attacks such as privilege escalation or data theft. The vulnerability does not require user interaction beyond visiting the injected page and does not affect unauthenticated users directly. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) reflects network attack vector, low attack complexity, requiring privileges, no user interaction, with a scope change and low impact on confidentiality and integrity, and no impact on availability. No patches have been officially released as of the publication date, and no known exploits are reported in the wild. The vulnerability was reserved and published in early 2025, indicating recent discovery and disclosure.

This vulnerability poses a significant risk to organizations using the aThemes Addons for Elementor plugin, especially those allowing Contributor-level access to multiple users. Successful exploitation can lead to persistent XSS attacks, enabling attackers to hijack user sessions, steal cookies, deface websites, or perform unauthorized actions within the context of the victim’s browser session. This can compromise the integrity and confidentiality of site data and user information. Since the attack requires authenticated access, insider threats or compromised accounts are primary vectors. The scope change in the CVSS score indicates that the vulnerability can affect resources beyond the initially vulnerable component, potentially impacting the entire website. For organizations relying on WordPress for critical business functions, this can lead to reputational damage, data breaches, and regulatory compliance issues. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits rapidly once the vulnerability is public.

Organizations should immediately audit user roles and permissions to restrict Contributor-level access to trusted users only. Implement strict input validation and output encoding on all user-generated content, especially in widgets like Image Accordion. Monitor and review content submitted by contributors for suspicious scripts or anomalies. Since no official patch is available yet, consider temporarily disabling the vulnerable widget or the entire aThemes Addons for Elementor plugin if feasible. Employ Web Application Firewalls (WAFs) with custom rules to detect and block typical XSS payloads targeting this plugin. Keep WordPress core, themes, and plugins updated regularly and subscribe to vendor advisories for prompt patch releases. Additionally, educate site administrators and users about the risks of XSS and the importance of secure content management practices. Conduct regular security scans and penetration tests focusing on plugin vulnerabilities and user privilege misuse.