CVE-2024-3718 is a stored cross-site scripting (XSS) vulnerability identified in The Plus Addons for Elementor plugin for WordPress, which provides additional widgets, page templates, mega menus, and WooCommerce integrations. The vulnerability arises from improper neutralization of user-supplied input in several widgets, where input sanitization and output escaping are insufficient. This flaw allows authenticated attackers with contributor-level or higher privileges to inject arbitrary JavaScript code into pages. Because the malicious script is stored persistently, it executes in the context of any user who accesses the infected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of users. The vulnerability affects all versions up to and including 5.5.4. The CVSS 3.1 base score is 6.4, reflecting a medium severity level with network attack vector, low attack complexity, privileges required (contributor-level), no user interaction, and a scope change due to the ability to affect other users. No public exploits have been reported yet, but the risk remains significant due to the widespread use of the plugin and WordPress. The vulnerability is classified under CWE-79, which covers improper input neutralization leading to XSS. The plugin is popular among WordPress sites globally, especially those using Elementor for page building and WooCommerce for e-commerce. The vulnerability's exploitation could lead to session hijacking, defacement, phishing, or further malware deployment.

The impact of CVE-2024-3718 is primarily on the confidentiality and integrity of affected WordPress sites and their users. Successful exploitation allows attackers to execute arbitrary scripts in the context of the victim's browser, potentially stealing session cookies, redirecting users to malicious sites, or performing unauthorized actions. This can lead to account takeover, data theft, defacement, or distribution of malware. Since the vulnerability requires contributor-level access, attackers must first compromise or have legitimate access to an account with such privileges, which may limit exposure but still poses a significant risk in environments with multiple contributors or weak access controls. The scope is broad because the injected scripts affect all users viewing the compromised pages, including administrators and visitors. Availability is not directly impacted, but reputational damage and loss of user trust can be severe. Organizations running WordPress sites with this plugin, especially e-commerce or high-traffic sites, face risks of customer data compromise and operational disruption.

1. Upgrade the Plus Addons for Elementor plugin to a version that patches this vulnerability as soon as it becomes available. 2. Until a patch is released, restrict contributor-level and higher privileges to trusted users only and review user roles to minimize unnecessary elevated access. 3. Implement web application firewalls (WAFs) with rules to detect and block common XSS payloads targeting this plugin's widgets. 4. Use security plugins that sanitize and validate user inputs on the WordPress site to add an additional layer of defense. 5. Regularly audit and monitor site content and user-generated inputs for suspicious scripts or anomalies. 6. Educate site administrators and contributors about the risks of XSS and safe content practices. 7. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 8. Backup site data regularly to enable quick restoration if an attack occurs. These steps go beyond generic advice by focusing on access control, layered defenses, and proactive monitoring specific to the plugin's context.