CVE-2024-4698 is a stored cross-site scripting (XSS) vulnerability identified in the Testimonial Carousel For Elementor plugin for WordPress, which is widely used to create testimonial sliders on websites. The vulnerability arises from improper neutralization of input during web page generation, specifically in the 'show_line_text' and 'slide_button_hover_animation' parameters. These parameters do not undergo sufficient input sanitization or output escaping, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. Because the malicious script is stored persistently, it executes every time any user accesses the affected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability affects all versions up to and including 10.1.1. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges (contributor or above), no user interaction, and a scope change. The impact includes partial confidentiality and integrity loss but no availability impact. No public exploits have been reported yet. The vulnerability was published on May 18, 2024, and assigned by Wordfence. Since the plugin is used in WordPress environments, the threat surface includes any site allowing contributor-level users to manage testimonial content without adequate input validation controls.

The primary impact of CVE-2024-4698 is the potential for attackers with contributor-level access to inject persistent malicious scripts into website pages, which execute in the browsers of any visitors to those pages. This can lead to session hijacking, theft of sensitive user data such as cookies or credentials, unauthorized actions performed on behalf of users, and potential defacement or redirection attacks. For organizations, this undermines the confidentiality and integrity of user interactions and data on affected websites. Since contributor-level permissions are often granted to content creators or editors, the risk is elevated in multi-user WordPress environments where internal users might be compromised or act maliciously. The vulnerability does not directly impact availability but can severely damage organizational reputation and user trust if exploited. Given the widespread use of WordPress and the popularity of Elementor plugins, many websites globally could be affected, especially those that do not restrict contributor permissions or lack additional security controls. The absence of known exploits in the wild currently limits immediate widespread impact, but the vulnerability remains a significant risk if weaponized.

To mitigate CVE-2024-4698, organizations should first update the Testimonial Carousel For Elementor plugin to a patched version once available from the vendor. In the absence of an official patch, implement strict input validation and output encoding on the 'show_line_text' and 'slide_button_hover_animation' parameters to prevent script injection. Limit contributor-level permissions to trusted users only and review user roles to minimize the number of users who can add or edit testimonial content. Employ Web Application Firewalls (WAFs) with rules to detect and block XSS payloads targeting these parameters. Regularly audit website content for suspicious scripts or injected code. Enable Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Monitor logs for unusual activity related to testimonial content updates. Educate content contributors about safe input practices and the risks of injecting untrusted content. Finally, maintain regular backups of website data to enable quick restoration if exploitation occurs.