CVE-2024-3650 is a stored Cross-Site Scripting (XSS) vulnerability identified in the ElementsKit Elementor addons and Templates Library plugin for WordPress, specifically within the Image Accordion widget. This vulnerability affects all versions from 3.0.7 through 3.1.2. The root cause is improper neutralization of input during web page generation, classified under CWE-79. Authenticated attackers with contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into pages via the vulnerable widget. Because the injected scripts are stored persistently, they execute in the context of any user who accesses the affected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of the user. The vulnerability does not require user interaction beyond visiting the compromised page and does not require elevated privileges beyond contributor access. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) indicates network attack vector, low attack complexity, privileges required, no user interaction, scope changed, with low impact on confidentiality and integrity, and no impact on availability. No public exploits have been reported yet, but the vulnerability is publicly disclosed and should be addressed promptly. The lack of available patches at the time of disclosure increases the urgency for mitigation.

The primary impact of CVE-2024-3650 is the compromise of user confidentiality and integrity on affected WordPress sites. Attackers can inject malicious scripts that execute in the browsers of site visitors or administrators, potentially leading to session hijacking, credential theft, unauthorized actions, or defacement. Since the vulnerability requires contributor-level access, insider threats or compromised contributor accounts pose a significant risk. Public-facing websites with multiple contributors are especially vulnerable to exploitation. Although availability is not directly impacted, the reputational damage and potential data breaches resulting from successful exploitation can be severe. Organizations relying on the ElementsKit plugin for critical content management or e-commerce may face increased risk of data leakage or unauthorized transactions. The scope of affected systems is broad given WordPress's widespread use, and the vulnerability affects all sites running the specified plugin versions. The absence of known exploits reduces immediate risk but does not eliminate the threat, as attackers may develop exploits following public disclosure.

Organizations should immediately verify if their WordPress installations use the ElementsKit Elementor addons plugin versions 3.0.7 through 3.1.2 and plan to upgrade to a patched version once available. Until a patch is released, administrators should restrict contributor-level access to trusted users only and audit existing contributor accounts for suspicious activity. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injections targeting the Image Accordion widget can provide temporary protection. Site owners should also enable Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Regularly scanning the website for injected scripts and unusual content changes can help detect exploitation attempts early. Additionally, educating contributors about secure content practices and monitoring logs for abnormal behavior can reduce the risk of exploitation. Backup procedures should be reviewed and tested to ensure rapid recovery if an attack occurs. Finally, subscribing to vendor and security mailing lists will help organizations stay informed about patch releases and further advisories.