CVE-2024-4618 is a stored cross-site scripting vulnerability identified in the Exclusive Addons for Elementor plugin for WordPress, specifically within the Team Member widget. The vulnerability stems from improper neutralization of user-supplied input in the 'url' attribute, where the plugin fails to adequately sanitize and escape this input before rendering it on web pages. This flaw allows authenticated attackers with contributor-level permissions or higher to inject arbitrary JavaScript code that is persistently stored and executed in the context of any user visiting the affected page. The exploitation does not require additional user interaction beyond visiting the compromised page, and the vulnerability impacts confidentiality and integrity by enabling potential session hijacking, credential theft, or unauthorized actions performed on behalf of users. The CVSS 3.1 score of 6.4 reflects a medium severity with network attack vector, low attack complexity, and privileges required. No patches or official fixes are currently linked, and no known exploits are reported in the wild. The vulnerability affects all versions up to and including 2.6.9.6, making it critical for sites using this plugin to assess exposure and implement mitigations promptly.

The primary impact of this vulnerability is the compromise of user confidentiality and integrity through the execution of arbitrary JavaScript in the context of affected websites. Attackers can steal session cookies, perform actions on behalf of users, deface content, or redirect users to malicious sites. Since the vulnerability requires contributor-level access, attackers must first gain some level of authenticated access, which may be feasible through social engineering or compromised credentials. The scope includes all WordPress sites using the vulnerable versions of Exclusive Addons for Elementor, potentially affecting a large number of websites given the popularity of Elementor and its addons. The lack of user interaction requirement increases the risk, as any visitor to a compromised page may be affected. While availability is not directly impacted, the reputational damage and potential data breaches can have significant operational and financial consequences for organizations worldwide.

Organizations should immediately verify if they are using the Exclusive Addons for Elementor plugin version 2.6.9.6 or earlier and plan to upgrade to a patched version once available. Until a patch is released, administrators should restrict contributor-level access to trusted users only and audit existing users for suspicious accounts. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injections targeting the 'url' attribute can provide temporary protection. Additionally, site owners should enable Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Regularly scanning the website for injected scripts and monitoring logs for unusual activity can help detect exploitation attempts. Educating content contributors about safe input practices and monitoring plugin updates from the vendor are also critical steps.