CVE-2024-4360 is a stored cross-site scripting (XSS) vulnerability identified in the Element Pack Elementor Addons plugin for WordPress, specifically affecting components such as Header Footer, Template Library, Dynamic Grid & Carousel, and Remote Arrows. The vulnerability exists due to improper neutralization of input during web page generation, classified under CWE-79. It stems from insufficient sanitization and escaping of user-supplied attributes like 'title_tag' within the plugin's widgets. This flaw allows authenticated attackers with contributor-level access or higher to inject arbitrary JavaScript code into pages. Because the malicious script is stored and executed whenever any user accesses the infected page, it can lead to persistent XSS attacks. The vulnerability affects all plugin versions up to and including 5.7.2. The CVSS v3.1 score is 6.4 (medium severity), with an attack vector of network, low attack complexity, requiring privileges (contributor or above), no user interaction, and a scope change. The impact includes partial loss of confidentiality and integrity, as attackers can execute scripts in the context of other users, potentially stealing cookies, session tokens, or performing actions on behalf of victims. No known exploits have been reported in the wild, but the risk remains significant due to the widespread use of WordPress and this plugin. The vulnerability was published on August 9, 2024, and assigned by Wordfence. No official patches or updates are linked yet, so mitigation relies on access control and input validation.

The primary impact of CVE-2024-4360 is the potential for persistent cross-site scripting attacks on WordPress sites using the vulnerable Element Pack Elementor Addons plugin. Exploitation allows attackers with contributor-level access to inject malicious scripts that execute in the browsers of any users visiting the compromised pages. This can lead to theft of sensitive information such as authentication cookies and session tokens, enabling account takeover or privilege escalation. Attackers may also manipulate page content or perform unauthorized actions on behalf of users, undermining data integrity. Although availability is not directly affected, the reputational damage and potential data breaches can have severe consequences for organizations. Given WordPress's extensive global usage, especially among small to medium enterprises, blogs, and e-commerce sites, the vulnerability poses a widespread risk. Organizations relying on this plugin may face increased risk of targeted attacks, especially if contributor accounts are compromised or misused. The medium CVSS score reflects the need for timely remediation to prevent exploitation and protect user data confidentiality and integrity.

To mitigate CVE-2024-4360, organizations should first verify if they use the Element Pack Elementor Addons plugin and identify the installed version. Until an official patch is released, restrict contributor-level access strictly to trusted users to reduce the risk of malicious script injection. Implement additional input validation and output escaping at the application or web server level, if possible, to sanitize user-supplied attributes like 'title_tag'. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the vulnerable widgets. Monitor logs and user activity for unusual behavior indicative of XSS exploitation attempts. Educate content contributors about safe input practices and the risks of injecting untrusted content. Once the vendor releases a patched version, promptly update the plugin to eliminate the vulnerability. Additionally, consider deploying Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. Regularly audit user privileges and remove unnecessary contributor accounts to minimize attack surface.