CVE-2024-3161 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Jeg Elementor Kit WordPress plugin, specifically within the countdown widget's attributes. This vulnerability arises from improper neutralization of input during web page generation (CWE-79), where the plugin fails to adequately sanitize and escape user-supplied input before rendering it on pages. As a result, authenticated users with contributor or higher privileges can inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, defacement, or other malicious activities. The vulnerability affects all versions up to and including 2.6.4. The attack vector is network-based with low attack complexity and requires privileges of at least contributor level but no user interaction beyond page access. The vulnerability impacts confidentiality and integrity but not availability, reflected in its CVSS 3.1 score of 6.4. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. This vulnerability highlights the risks of insufficient input validation in WordPress plugins, especially those that allow multiple authenticated users to contribute content.

The primary impact of CVE-2024-3161 is on the confidentiality and integrity of affected WordPress sites. Successful exploitation allows attackers with contributor-level access to inject persistent malicious scripts that execute in the browsers of site visitors or administrators. This can lead to theft of authentication cookies, enabling session hijacking and unauthorized account access. Attackers may also perform actions on behalf of users, deface websites, or spread malware. While availability is not directly impacted, the reputational damage and potential data breaches can be significant. Organizations with multi-user WordPress environments, especially those with contributors who may not be fully trusted, are at higher risk. The vulnerability could be leveraged in targeted attacks against high-profile websites or used as a foothold for further compromise. Although no known exploits are reported yet, the ease of exploitation and widespread use of WordPress and Elementor-based themes increase the likelihood of future attacks.

To mitigate CVE-2024-3161, organizations should immediately update the Jeg Elementor Kit plugin to a patched version once available. Until then, restrict contributor-level access to trusted users only and review existing content for injected scripts. Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the countdown widget attributes. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. Regularly audit user roles and permissions to minimize the number of users with contributor or higher privileges. Additionally, monitor website logs for unusual activity or unexpected script injections. If patching is delayed, consider disabling or removing the countdown widget temporarily to eliminate the attack surface. Educate content contributors about safe input practices and the risks of injecting untrusted code.