CVE-2024-3134 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-80 affecting the 'Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor' WordPress plugin developed by litonice13. This plugin extends Elementor with additional widgets and effects and is widely used in WordPress sites for enhanced UI/UX features. The vulnerability stems from insufficient input sanitization and output escaping of the title_html_tag attribute, which allows authenticated users with contributor or higher privileges to inject arbitrary JavaScript code into pages. Because the malicious script is stored persistently, it executes automatically whenever any user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The attack vector is network-based with low complexity, requiring no user interaction but does require authenticated access, which limits exploitation to insiders or compromised accounts. The vulnerability impacts confidentiality and integrity but does not affect availability. Although no public exploits have been reported yet, the widespread use of this plugin and the commonality of contributor-level accounts in WordPress environments make this a significant risk. The vulnerability affects all versions up to and including 2.0.6.0. No official patches were linked at the time of disclosure, so mitigation relies on access control and input validation measures until updates are available.

The primary impact of CVE-2024-3134 is the potential compromise of user confidentiality and integrity on WordPress sites using the affected plugin. Attackers with contributor-level access can inject persistent malicious scripts that execute in the browsers of site visitors and administrators. This can lead to session hijacking, theft of authentication tokens, unauthorized actions performed with victim privileges, defacement, or distribution of malware. Since the vulnerability requires authenticated access, the risk is higher in environments with weak access controls or where contributor accounts are frequently created or compromised. The scope includes all users who visit the infected pages, potentially including site administrators, increasing the risk of privilege escalation or site takeover. Although availability is not directly impacted, the indirect consequences of exploitation could lead to site downtime or loss of user trust. Organizations relying on this plugin for site functionality face reputational damage and potential regulatory compliance issues if user data is exposed. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as proof-of-concept exploits could emerge.

1. Immediately restrict contributor-level access to trusted users only and audit existing accounts for suspicious activity. 2. Apply the latest plugin updates as soon as they become available from the vendor to address the vulnerability. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the title_html_tag attribute. 4. Use security plugins that sanitize and escape user inputs and outputs globally to provide an additional layer of defense. 5. Conduct regular security reviews and penetration testing focusing on user input handling in WordPress plugins. 6. Educate site administrators and contributors on secure content creation practices to avoid injection of malicious scripts. 7. Monitor site logs for unusual script injections or access patterns indicative of exploitation attempts. 8. Consider temporarily disabling or replacing the affected plugin with alternative solutions until a patch is confirmed. 9. Enforce Content Security Policy (CSP) headers to restrict execution of unauthorized scripts in browsers. 10. Backup site data regularly to enable quick recovery in case of compromise.