CVE-2024-37945 identifies a stored cross-site scripting (XSS) vulnerability in the WPBITS Addons For Elementor Page Builder WordPress plugin, specifically in versions up to and including 1.5. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, allowing malicious scripts to be injected and stored persistently within the website's content. When a victim visits a compromised page, the malicious script executes in their browser context, potentially enabling attackers to steal session cookies, perform actions on behalf of the user, deface the website, or redirect users to malicious domains. This vulnerability does not require authentication or user interaction beyond visiting the affected page, increasing its risk profile. Although no known exploits have been reported in the wild, the widespread use of WordPress and Elementor-based plugins amplifies the potential attack surface. The vulnerability affects all installations running the vulnerable versions of the plugin, which is commonly used to enhance Elementor page builder functionality. The lack of an official patch or CVSS score at the time of publication necessitates cautious handling and proactive mitigation by site administrators.

The impact of CVE-2024-37945 can be significant for organizations relying on the WPBITS Addons For Elementor Page Builder plugin. Successful exploitation can compromise user confidentiality by stealing session tokens or personal data, undermine data integrity by allowing unauthorized content manipulation, and damage availability indirectly through defacement or redirection attacks that degrade user trust. For e-commerce, financial, or membership sites, this could lead to account takeover, fraudulent transactions, or reputational damage. Given the stored nature of the XSS, the malicious payload persists, increasing the likelihood of repeated victimization. The vulnerability's ease of exploitation without authentication or complex prerequisites broadens the scope of potential attackers, including automated bots and opportunistic threat actors. Organizations with high traffic or sensitive user bases face elevated risks, and remediation delays could exacerbate exposure.

Organizations should prioritize updating the WPBITS Addons For Elementor Page Builder plugin to a patched version once it becomes available from the vendor. Until an official patch is released, administrators should implement strict input validation and output encoding on all user-supplied data fields within the plugin's scope to prevent script injection. Employing a Web Application Firewall (WAF) with rules targeting common XSS payloads can provide interim protection. Regularly auditing and sanitizing stored content for malicious scripts is advisable. Additionally, enforcing Content Security Policy (CSP) headers can mitigate the impact of injected scripts by restricting script execution sources. Monitoring website logs for unusual activity and educating users about phishing risks related to XSS attacks will further reduce potential damage. Finally, maintaining a robust backup and recovery plan ensures rapid restoration in case of defacement or compromise.