CVE-2024-1421 identifies a stored Cross-Site Scripting (XSS) vulnerability in the HT Mega – Absolute Addons For Elementor plugin for WordPress, specifically within the Post Carousel widget's 'border_type' attribute. This vulnerability stems from insufficient input sanitization and output escaping, allowing authenticated users with contributor-level access or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially compromising session tokens, redirecting users to malicious sites, or performing unauthorized actions on behalf of the user. The vulnerability affects all plugin versions up to and including 2.4.4. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and requiring privileges but no user interaction. The scope is changed (S:C) because the vulnerability affects resources beyond the attacker’s privileges, impacting other users. The weakness is classified under CWE-79, which covers improper neutralization of input during web page generation. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability is significant due to the plugin's popularity among WordPress sites using Elementor, a widely adopted page builder. Attackers with contributor access can exploit this to escalate their impact beyond their role, affecting site visitors and administrators.

The primary impact of this vulnerability is the compromise of user confidentiality and integrity through the execution of arbitrary scripts in the context of the vulnerable website. Attackers can steal session cookies, perform actions on behalf of other users, deface websites, or deliver malware payloads. Since the vulnerability is stored XSS, the malicious code persists on the server and affects all visitors to the infected page, amplifying the potential damage. Organizations relying on WordPress sites with this plugin risk reputational damage, data breaches, and loss of user trust. The requirement for contributor-level access limits the initial attack surface but does not eliminate risk, especially in environments with multiple contributors or where contributor accounts may be compromised. The vulnerability does not impact availability directly but can lead to indirect denial of service through site defacement or administrative lockout. Overall, the threat can facilitate broader attacks such as phishing, credential theft, or lateral movement within the web application environment.

1. Immediately restrict contributor-level access to trusted users only and review existing contributor accounts for suspicious activity. 2. Monitor all user-generated content, especially in widgets or areas accepting input like the Post Carousel, for suspicious scripts or unexpected HTML. 3. Implement Web Application Firewall (WAF) rules to detect and block common XSS payloads targeting the 'border_type' attribute or related inputs. 4. Regularly update the HT Mega – Absolute Addons For Elementor plugin as soon as the vendor releases a patch addressing this vulnerability. 5. Employ Content Security Policy (CSP) headers to limit the execution of inline scripts and reduce the impact of XSS attacks. 6. Educate site administrators and contributors about the risks of injecting untrusted content and enforce strict input validation policies. 7. Conduct periodic security audits and vulnerability scans focusing on WordPress plugins and user input handling. 8. Consider temporarily disabling or replacing the vulnerable widget if immediate patching is not feasible.