CVE-2024-1508 identifies a stored cross-site scripting (XSS) vulnerability in the Prime Slider – Addons For Elementor plugin, widely used in WordPress sites to create sliders such as Revolution, Hero, and Ecommerce sliders. The vulnerability stems from insufficient sanitization and escaping of user-supplied input in the 'settings["title_tags"]' attribute of the Mercury widget. This allows authenticated attackers with contributor-level or higher privileges to inject arbitrary JavaScript code into pages. When other users visit these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, defacement, or distribution of malware. The vulnerability affects all plugin versions up to and including 3.13.2. The attack vector requires network access and authenticated contributor-level privileges, but no user interaction is needed for the payload to execute. The CVSS 3.1 base score is 6.4, indicating a medium severity with a scope change due to the potential impact on other users. No public exploits have been reported yet, but the vulnerability poses a significant risk to websites using this plugin, especially those with multiple contributors or editors.

The primary impact of this vulnerability is the compromise of confidentiality and integrity of users interacting with affected WordPress sites. Attackers can inject malicious scripts that execute in the context of the victim's browser, enabling theft of session cookies, credentials, or other sensitive information. This can lead to account takeover or unauthorized actions performed on behalf of legitimate users. Additionally, attackers may deface websites or redirect visitors to malicious domains, damaging brand reputation and user trust. Since the vulnerability requires contributor-level access, attackers who have compromised or gained such access can leverage this flaw to escalate their impact. The scope includes all visitors to the infected pages, potentially affecting a large user base. Although availability is not directly impacted, the indirect consequences such as site blacklisting by search engines or hosting providers can cause service disruptions. Organizations relying on this plugin for critical customer-facing sites or ecommerce platforms face increased risk of data breaches and operational disruption.

To mitigate this vulnerability, organizations should immediately update the Prime Slider – Addons For Elementor plugin to a version that addresses the issue once released by the vendor. Until a patch is available, restrict contributor-level access to trusted users only and audit existing contributor accounts for suspicious activity. Implement web application firewall (WAF) rules to detect and block malicious payloads targeting the 'settings["title_tags"]' parameter. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. Regularly scan WordPress installations with security tools to detect injected scripts or anomalous content. Educate site administrators and contributors on secure content management practices, emphasizing the risks of XSS. Consider disabling or replacing the vulnerable plugin with alternative slider solutions that follow secure coding practices. Finally, monitor logs and user reports for signs of exploitation or unusual behavior related to this vulnerability.