CVE-2024-13642 is a stored cross-site scripting (XSS) vulnerability identified in the Stratum – Elementor Widgets plugin for WordPress, affecting all versions up to and including 1.4.7. The flaw resides in the Image Hotspot widget, where user-supplied input is not properly sanitized or escaped before being embedded in web pages. This improper neutralization of input (CWE-79) allows authenticated attackers with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. When other users visit these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress environment. The vulnerability requires the attacker to have some level of authenticated access, but no additional user interaction is necessary for exploitation once the malicious content is injected. The CVSS v3.1 base score of 6.4 reflects a medium severity, with network attack vector, low complexity, privileges required, no user interaction, and a scope change due to impact on other users. No known exploits are currently in the wild, but the vulnerability poses a significant risk to websites using this plugin, especially those allowing contributor-level users to add or edit content. The lack of official patches at the time of publication necessitates immediate mitigation efforts.

This vulnerability can lead to significant security risks for organizations running WordPress sites with the Stratum – Elementor Widgets plugin. An attacker with contributor-level access can inject malicious scripts that execute in the browsers of site visitors or administrators, potentially stealing session cookies, defacing websites, or performing unauthorized actions on behalf of users. This compromises confidentiality and integrity of user data and site content. Although availability is not directly impacted, the reputational damage and potential for further exploitation (e.g., pivoting to more severe attacks) can be substantial. Organizations with multiple contributors or less restrictive content management policies are at higher risk. The vulnerability could also be leveraged in targeted attacks against high-profile WordPress sites, leading to data breaches or loss of user trust.

Organizations should immediately audit their WordPress installations for the presence of the Stratum – Elementor Widgets plugin and restrict contributor-level permissions to trusted users only. Until an official patch is released, consider disabling or removing the Image Hotspot widget or the entire plugin if feasible. Implement web application firewalls (WAFs) with rules to detect and block suspicious script injections targeting this widget. Employ content security policies (CSP) to limit the execution of unauthorized scripts. Regularly monitor site content for unexpected script tags or changes. Educate contributors about safe content practices and the risks of injecting untrusted code. Once a patch is available, apply it promptly. Additionally, review and tighten user role permissions to minimize the risk of malicious content injection.