CVE-2024-4391 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79 found in the Happy Addons for Elementor plugin for WordPress, specifically within the Event Calendar widget. This vulnerability exists in all versions up to and including 3.10.7 due to improper neutralization of user-supplied input during web page generation. The root cause is insufficient input sanitization and lack of output escaping on attributes that users can control. An attacker with authenticated access at the contributor level or higher can inject arbitrary JavaScript code into pages rendered by the plugin. Because the malicious script is stored, it executes every time any user accesses the affected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of users. The vulnerability does not require user interaction beyond visiting the infected page and has a CVSS v3.1 base score of 6.4, reflecting medium severity. The attack vector is network-based with low attack complexity, requiring privileges but no user interaction. The scope is changed as the vulnerability affects multiple users viewing the injected content. No public exploits have been reported yet, but the vulnerability is critical for websites relying on this plugin for event calendar functionality. The plugin is widely used in WordPress environments, making the vulnerability relevant to many organizations running WordPress sites with Elementor and Happy Addons installed.

The primary impact of CVE-2024-4391 is the compromise of confidentiality and integrity for users visiting affected WordPress sites. Attackers can execute arbitrary JavaScript in the context of the vulnerable site, enabling session hijacking, credential theft, defacement, or redirection to malicious sites. This can lead to unauthorized access to user accounts, data leakage, and erosion of user trust. Since the vulnerability requires contributor-level access, attackers must first gain some level of authenticated access, which may be possible through social engineering or exploiting other vulnerabilities. The stored nature of the XSS means that the malicious payload persists and affects all users viewing the infected page, increasing the potential damage. Organizations relying on the Happy Addons plugin for event management on WordPress sites face risks of reputational damage, data breaches, and potential regulatory consequences if user data is compromised. The vulnerability does not impact availability directly but can indirectly cause service disruption if sites are defaced or taken offline to remediate the issue.

To mitigate CVE-2024-4391, organizations should immediately update the Happy Addons for Elementor plugin to a version where this vulnerability is patched once available. Until a patch is released, restrict contributor-level and higher access to trusted users only, minimizing the risk of malicious input injection. Implement web application firewall (WAF) rules to detect and block suspicious script injection patterns targeting the Event Calendar widget. Conduct thorough input validation and output encoding on all user-supplied data within custom code or additional plugins to reduce XSS risks. Regularly audit user roles and permissions to ensure least privilege principles are enforced. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on the website. Monitor website pages for unexpected script injections or defacements. Educate content contributors about the risks of injecting untrusted content. Finally, maintain regular backups to enable quick restoration if exploitation occurs.