CVE-2024-3889 is a stored cross-site scripting vulnerability identified in the Royal Elementor Addons and Templates plugin for WordPress, specifically within the Advanced Accordion widget. The vulnerability arises from insufficient input sanitization and output escaping of the 'accordion_title_tag' attribute, which is user-controllable. Because the plugin fails to properly neutralize this input, authenticated users with contributor-level permissions or higher can inject arbitrary JavaScript code into pages. This malicious script is stored persistently and executes in the context of any user who views the compromised page, potentially leading to session hijacking, privilege escalation, or defacement. The vulnerability affects all plugin versions up to and including 1.3.971. The attack vector requires network access and authenticated contributor-level privileges but does not require user interaction to trigger once the malicious content is published. The CVSS 3.1 base score of 6.4 reflects a medium severity, with low attack complexity and no user interaction needed, but limited to authenticated users. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. This vulnerability falls under CWE-79, indicating improper neutralization of input during web page generation, a common cause of XSS issues in web applications.

The primary impact of CVE-2024-3889 is the compromise of confidentiality and integrity within affected WordPress sites using the vulnerable plugin. An attacker with contributor-level access can inject persistent malicious scripts, which execute in the browsers of users visiting the infected pages. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, and potential defacement or redirection attacks. While availability is not directly impacted, the reputational damage and potential data breaches can be significant. For organizations relying on WordPress sites with this plugin, especially those with multiple contributors or public-facing content editors, the risk of internal threat actors or compromised contributor accounts exploiting this vulnerability is notable. The medium severity score reflects that exploitation requires authenticated access, limiting the attack surface but not eliminating risk, especially in environments with many contributors or weak access controls.

To mitigate CVE-2024-3889, organizations should: 1) Immediately update the Royal Elementor Addons and Templates plugin to a patched version once available; if no patch exists, consider disabling or removing the plugin temporarily. 2) Restrict contributor-level access strictly, auditing user roles and permissions to minimize the number of users who can inject content. 3) Implement a Web Application Firewall (WAF) with rules to detect and block common XSS payloads targeting the affected widget. 4) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on the website. 5) Conduct regular security reviews of user-generated content, especially from contributors, to detect suspicious scripts or markup. 6) Educate content contributors about safe input practices and the risks of injecting untrusted content. 7) Monitor logs and user activity for unusual behavior indicative of exploitation attempts. 8) Consider using security plugins that sanitize and validate inputs at the application level as an additional layer of defense.