CVE-2024-4624 is a stored cross-site scripting (XSS) vulnerability identified in the WordPress plugin Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders, maintained by wpdevteam. The vulnerability exists due to insufficient sanitization and escaping of user-supplied input in the 'eael_ext_toc_title_tag' parameter. This parameter is used during web page generation, and when improperly handled, allows an authenticated attacker with contributor-level or higher privileges to inject arbitrary JavaScript code into pages. Because the malicious script is stored persistently, it executes every time any user views the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability affects all plugin versions up to and including 5.9.20. The CVSS v3.1 base score is 6.4, reflecting network attack vector, low attack complexity, privileges required at the contributor level, no user interaction needed, and a scope change due to impact on other components. The vulnerability impacts confidentiality and integrity but not availability. No patches or exploit code are currently publicly available, but the risk remains significant given the widespread use of this plugin in WordPress sites. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation leading to XSS.

This vulnerability allows attackers with contributor-level access to inject persistent malicious scripts into WordPress pages, which execute in the browsers of any users visiting those pages. The impact includes potential theft of authentication cookies, session hijacking, defacement, redirection to malicious sites, and unauthorized actions performed on behalf of users. Since contributors can publish content, the risk is elevated in environments where contributor accounts are common or where privilege escalation is possible. The compromise of user sessions can lead to further exploitation, including privilege escalation or data exfiltration. Organizations relying on this plugin for website functionality, especially those handling sensitive user data or e-commerce transactions, face reputational damage, loss of user trust, and potential regulatory consequences. The vulnerability does not affect availability directly but can indirectly cause service disruption through site defacement or administrative lockout.

To mitigate this vulnerability, organizations should immediately update the Essential Addons for Elementor plugin to a version where this issue is fixed once available. Until a patch is released, restrict contributor-level permissions to trusted users only and audit existing contributor accounts for suspicious activity. Implement Web Application Firewall (WAF) rules to detect and block malicious payloads targeting the 'eael_ext_toc_title_tag' parameter. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Regularly monitor website content for unauthorized script injections and conduct security reviews of user-generated content. Additionally, consider disabling or limiting the use of the vulnerable plugin if feasible, or replace it with alternative plugins that have a better security track record. Educate content contributors about safe input practices and the risks of injecting untrusted content.