CVE-2024-4107 is a stored cross-site scripting vulnerability classified under CWE-79, found in the Elementor Website Builder Pro plugin for WordPress, affecting all versions up to and including 3.21.0. The root cause is insufficient input sanitization and output escaping on several parameters used during web page generation. This flaw allows authenticated attackers with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. Because the malicious script is stored, it executes every time a user visits the infected page, potentially compromising the confidentiality and integrity of user sessions and data. The vulnerability does not require user interaction beyond visiting the compromised page, and the attacker needs only low-level authenticated access, which is common in multi-user WordPress environments. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, privileges required, no user interaction, and partial impact on confidentiality and integrity but no impact on availability. No public exploits have been reported yet, but the vulnerability poses a significant risk to websites using Elementor Pro, especially those with multiple contributors. The vulnerability is notable because Elementor is a widely used WordPress page builder, making many websites potentially vulnerable. The lack of a patch link suggests a fix may be pending or recently released, so immediate mitigation is critical.

The primary impact of CVE-2024-4107 is the compromise of website integrity and user trust. Attackers can inject malicious scripts that execute in the context of the website, leading to session hijacking, theft of sensitive user information, defacement, or redirection to malicious sites. For organizations, this can result in reputational damage, loss of customer trust, and potential regulatory consequences if user data is exposed. Since the vulnerability requires only contributor-level access, attackers can exploit compromised or malicious user accounts, which are common in collaborative environments. The scope includes any WordPress site using Elementor Pro up to version 3.21.0, which is a significant portion of websites globally. The vulnerability does not affect availability directly but can indirectly cause service disruption through defacement or user lockout. The medium severity score reflects the balance between ease of exploitation and impact, but the widespread use of Elementor increases the overall risk to organizations worldwide.

Organizations should immediately verify the Elementor Pro version in use and upgrade to a patched version once available. Until a patch is released, restrict contributor-level permissions to trusted users only and audit existing user roles to minimize risk. Implement web application firewalls (WAFs) with rules to detect and block common XSS payloads targeting Elementor parameters. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected pages. Regularly scan websites for injected scripts or unusual content changes. Educate content contributors about the risks of uploading or embedding untrusted content. Monitor logs for suspicious activity related to page edits or user actions. Consider temporarily disabling the Elementor Pro plugin if the risk is unacceptable and no patch is available. Finally, maintain a robust incident response plan to quickly address any detected exploitation.