CVE-2024-4458 is a stored cross-site scripting vulnerability in the Themesflat Addons For Elementor WordPress plugin, affecting all versions up to and including 2.1.2. The issue is due to improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of URL parameters in several widgets. Authenticated attackers with contributor-level access or higher can exploit this to inject arbitrary web scripts that execute when users view the injected pages. This vulnerability is classified under CWE-79 and has a CVSS 3.1 base score of 6.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N), indicating network attack vector, low attack complexity, requiring privileges, no user interaction, scope changed, with low confidentiality and integrity impact and no availability impact.

Successful exploitation allows an authenticated contributor or higher to inject persistent malicious scripts into pages, which execute in the context of users viewing those pages. This can lead to unauthorized actions performed on behalf of users, potential data theft, or session hijacking. The impact is limited to confidentiality and integrity with no availability impact. The vulnerability requires authenticated access with contributor privileges or above, which limits the attack surface.

No official patch or remediation guidance is currently available from the vendor. Users should monitor the vendor's advisory channels for updates. Until a fix is released, restrict contributor-level access to trusted users only and consider disabling or removing the Themesflat Addons For Elementor plugin if feasible. Implementing web application firewall (WAF) rules to detect and block suspicious script injections may provide temporary mitigation. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.