CVE-2024-3190 is a stored cross-site scripting vulnerability in the Unlimited Elements For Elementor WordPress plugin, affecting all versions up to 1.5.107. The issue stems from improper neutralization of input in the plugin's text field widget, specifically due to insufficient input sanitization and output escaping of user-supplied attributes. Authenticated attackers with contributor-level privileges or higher can exploit this to inject arbitrary web scripts that execute when users access the compromised pages. The vulnerability is distinct because it originates from an external template. Version 1.5.108 is the first known patched release addressing this issue.

An attacker with contributor-level or higher access can inject persistent malicious scripts into pages via the vulnerable text field widget. These scripts execute in the context of users viewing the page, potentially leading to information disclosure or session hijacking. The vulnerability does not require user interaction beyond viewing the infected page and does not affect availability. The CVSS 3.1 base score is 5.4 (medium severity), reflecting network attack vector, low attack complexity, required privileges, no user interaction, and limited confidentiality and integrity impact.

Upgrade the Unlimited Elements For Elementor plugin to version 1.5.108 or later, which contains the official fix for this vulnerability. No other specific mitigations are indicated. Patch status is confirmed by the vendor's identification of version 1.5.108 as the patched release. Users should ensure only trusted contributors have access to the WordPress backend to reduce risk prior to patching.