CVE-2024-4619 is a DOM-based stored Cross-Site Scripting vulnerability identified in the Elementor Website Builder plugin for WordPress, a widely used tool for creating and managing website content. The vulnerability specifically involves the 'hover_animation' parameter, which is not properly sanitized or escaped before being rendered in web pages. This improper neutralization of input (CWE-79) allows an attacker with contributor-level or higher privileges to inject arbitrary JavaScript code into pages. Because the malicious script is stored, it executes in the context of any user who views the affected page, potentially compromising user sessions, stealing sensitive information, or performing unauthorized actions. The attack vector requires authenticated access but no user interaction beyond page viewing. The vulnerability affects all versions up to and including 3.21.4. The CVSS 3.1 base score of 6.4 indicates medium severity, with network attack vector, low attack complexity, and privileges required at the contributor level. The scope is changed, meaning the vulnerability can affect resources beyond the vulnerable component. No patches or exploit code are currently publicly available, but the risk remains significant due to the plugin's popularity and the common use of contributor roles in WordPress sites.

The impact of CVE-2024-4619 is primarily on the confidentiality and integrity of affected WordPress sites using the Elementor plugin. An attacker with contributor-level access can inject malicious scripts that execute in the browsers of site visitors or administrators, potentially leading to session hijacking, credential theft, defacement, or unauthorized actions performed on behalf of users. This can undermine user trust, damage brand reputation, and lead to data breaches. Since contributor roles are commonly assigned to content editors and other semi-trusted users, the attack surface is relatively broad within organizations. The vulnerability does not affect availability directly but can facilitate further attacks that might disrupt services. Organizations relying on Elementor for critical web presence or e-commerce may face significant operational and financial risks if exploited.

Organizations should immediately upgrade the Elementor Website Builder plugin to a version that addresses this vulnerability once available. Until a patch is released, administrators should restrict contributor-level permissions to trusted users only and review existing user roles to minimize risk. Implementing Web Application Firewalls (WAF) with custom rules to detect and block suspicious payloads targeting the 'hover_animation' parameter can provide temporary protection. Additionally, applying Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Regularly auditing and sanitizing user-generated content and monitoring logs for unusual activity related to page edits or script injections are recommended. Educating content contributors about safe practices and monitoring for privilege escalation attempts will further reduce risk.