CVE-2024-3885 is a stored cross-site scripting vulnerability identified in the Premium Addons for Elementor plugin for WordPress, a widely used page builder enhancement tool. The vulnerability stems from improper neutralization of input during web page generation, specifically involving the 'subcontainer' value parameter. Due to insufficient input sanitization and lack of proper output escaping, authenticated users with contributor or higher privileges can inject arbitrary JavaScript code into pages. This malicious code is stored persistently and executed in the context of any user who accesses the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability affects all versions up to and including 4.10.28. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with no availability impact. Although no exploits are currently known in the wild, the vulnerability's presence in a popular WordPress plugin makes it a significant risk. The scope is broad as it affects all installations of the vulnerable plugin versions, and the exploitation requires only contributor-level access, which is commonly granted in multi-author WordPress sites. The vulnerability was published on May 2, 2024, and assigned by Wordfence. No official patch links are provided yet, indicating that mitigation may require manual intervention or plugin updates once available.

The primary impact of this vulnerability is the compromise of confidentiality and integrity of affected WordPress sites using the Premium Addons for Elementor plugin. Attackers with contributor access can inject persistent malicious scripts that execute in the browsers of site visitors and administrators, potentially leading to session hijacking, credential theft, defacement, unauthorized actions, or distribution of malware. This can damage organizational reputation, lead to data breaches, and facilitate further attacks within the network. Since contributor-level access is often granted to multiple users in collaborative environments, the attack surface is significant. The vulnerability does not impact availability directly but can indirectly cause service disruption through defacement or administrative lockout. Organizations relying on this plugin for website functionality or marketing may face operational and financial consequences if exploited. The lack of known exploits in the wild suggests limited immediate risk but also highlights the importance of proactive remediation before attackers develop weaponized exploits.

Organizations should immediately audit user roles and permissions to ensure that contributor-level access is strictly controlled and limited to trusted users. Until an official patch is released, consider temporarily disabling or removing the Premium Addons for Elementor plugin if feasible. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious input patterns targeting the 'subcontainer' parameter. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Regularly monitor logs for unusual activity related to page content changes or script injections. Educate site administrators and contributors about the risks of injecting untrusted content. Once a vendor patch is available, apply it promptly and verify that input sanitization and output escaping are correctly enforced. Additionally, conduct security scans and penetration tests focusing on XSS vulnerabilities in WordPress environments. Maintain up-to-date backups to enable rapid recovery if compromise occurs.