CVE-2024-13650 is a stored cross-site scripting vulnerability identified in the Piotnet Addons For Elementor plugin for WordPress, affecting all versions up to and including 2.4.34. The vulnerability specifically targets the 'PAFE Before After Image Comparison Slider' widget, which fails to properly sanitize and escape user input before rendering it on web pages. This improper neutralization of input (CWE-79) allows authenticated attackers with Contributor-level or higher privileges to inject arbitrary JavaScript code into pages. When other users access these compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions performed with the victim's credentials. The attack vector is remote over the network, with low complexity, requiring only authenticated access but no user interaction for exploitation. The vulnerability affects the confidentiality and integrity of data but does not impact availability. The CVSS 3.1 base score is 6.4, indicating medium severity. No public exploits have been reported yet, but the vulnerability poses a significant risk to WordPress sites using this plugin, especially those allowing Contributor-level users to create or edit content. The vulnerability was published on April 18, 2025, with the initial reservation on January 23, 2025. No official patches have been linked yet, so mitigation relies on access control and input validation measures.

The primary impact of CVE-2024-13650 is the compromise of confidentiality and integrity on affected WordPress sites using the Piotnet Addons For Elementor plugin. Attackers with Contributor-level access can inject malicious scripts that execute in the context of other users' browsers, potentially stealing session cookies, credentials, or performing unauthorized actions such as content manipulation or privilege escalation. This can lead to account takeover, defacement, or further compromise of the website and its users. Since the vulnerability is stored XSS, the malicious payload persists on the site, increasing the risk of widespread impact. Organizations relying on this plugin, especially those with multiple contributors or editors, face increased risk of insider threats or compromised accounts being leveraged for attacks. The vulnerability does not directly affect availability but can indirectly cause reputational damage and loss of user trust. Given WordPress's widespread use globally, the potential attack surface is large, particularly for sites that do not restrict contributor privileges or monitor plugin security.

To mitigate CVE-2024-13650, organizations should first verify if they use the Piotnet Addons For Elementor plugin and identify the version in use. Since no official patch links are currently available, immediate mitigation includes restricting Contributor-level and higher privileges to trusted users only, minimizing the risk of malicious script injection. Administrators should implement strict input validation and output encoding on any user-generated content, especially in the affected widget areas. Employing Web Application Firewalls (WAFs) with custom rules to detect and block typical XSS payloads targeting this plugin can reduce exploitation risk. Monitoring logs for unusual content submissions or script injections is recommended. Once an official patch is released, prompt updating of the plugin is critical. Additionally, educating content contributors about safe content practices and the risks of injecting untrusted code can help prevent exploitation. Regular security audits and vulnerability scanning of WordPress plugins should be part of ongoing security hygiene.