CVE-2024-3728 is a stored cross-site scripting vulnerability classified under CWE-79, found in the Essential Addons for Elementor plugin for WordPress, which provides templates, widgets, kits, and WooCommerce builders. The vulnerability affects all versions up to and including 5.9.15. It stems from improper neutralization of user-supplied input in the Filterable Gallery and Interactive Circle widgets, where input sanitization and output escaping are insufficient. Authenticated attackers with contributor-level privileges or higher can inject arbitrary JavaScript code into pages via these widgets. Because the malicious scripts are stored, they execute every time a user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability requires no user interaction but does require authenticated access, which limits exploitation to users with some level of trust within the WordPress site. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, privileges required, no user interaction, and partial confidentiality and integrity impact. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability is significant due to the widespread use of Elementor and its addons in WordPress sites, especially those with multiple contributors or public-facing content.

The primary impact of CVE-2024-3728 is the compromise of confidentiality and integrity of user data on affected WordPress sites. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of site visitors or administrators, potentially leading to session hijacking, credential theft, unauthorized actions, or defacement. This can erode user trust, damage brand reputation, and lead to regulatory or compliance issues if sensitive data is exposed. Since the vulnerability is stored XSS, the malicious payload persists and affects all users who visit the compromised page, amplifying the impact. Organizations relying on this plugin for e-commerce or content management may face financial losses or operational disruptions. The requirement for authenticated access reduces the risk from external anonymous attackers but does not eliminate insider threats or compromised contributor accounts. The lack of known exploits in the wild suggests limited active exploitation currently, but the vulnerability remains a significant risk if weaponized.

1. Immediately update the Essential Addons for Elementor plugin to a patched version once available from the vendor. Monitor vendor announcements for official fixes. 2. In the interim, restrict contributor-level and higher user permissions to trusted individuals only, minimizing the risk of malicious script injection. 3. Implement a Web Application Firewall (WAF) with rules to detect and block typical XSS payloads targeting the Filterable Gallery and Interactive Circle widgets. 4. Conduct regular security audits of user-generated content, especially in the affected widgets, to detect and remove suspicious scripts. 5. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on the site. 6. Educate site administrators and contributors about the risks of XSS and safe content practices. 7. Consider disabling or limiting the use of the vulnerable widgets until a patch is applied. 8. Monitor logs and user activity for signs of exploitation or unusual behavior. These steps go beyond generic advice by focusing on access control, monitoring, and layered defenses specific to the vulnerable components.