CVE-2024-4896 identifies a stored Cross-Site Scripting (XSS) vulnerability in the WPB Elementor Addons plugin for WordPress, present in all versions up to and including 1.0.9. The vulnerability arises from improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of the 'url' parameter. Authenticated attackers with Contributor-level privileges or higher can inject arbitrary JavaScript code into pages by manipulating this parameter. Because the malicious script is stored persistently, it executes in the context of any user who accesses the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability does not require user interaction beyond visiting the affected page, but it does require the attacker to have at least Contributor-level access, which is a moderate privilege level in WordPress. The CVSS 3.1 base score is 6.4, reflecting medium severity with network attack vector, low attack complexity, privileges required, no user interaction, and a scope change. No patches or fixes are currently linked, and no known exploits are reported in the wild. The vulnerability is classified under CWE-79, a common category for XSS issues. The plugin is widely used in WordPress environments that employ Elementor page builder addons, making it a relevant concern for many websites relying on this ecosystem.

The impact of this vulnerability is significant for organizations running WordPress sites with the WPB Elementor Addons plugin. Successful exploitation allows attackers with Contributor-level access to inject persistent malicious scripts, which execute in the browsers of any users visiting the compromised pages. This can lead to session hijacking, theft of sensitive information such as authentication cookies, unauthorized actions performed on behalf of users, and potential further compromise of the website or its users. While the attacker requires some level of authentication, Contributor access is commonly granted to trusted users or external content creators, increasing the risk of insider threats or compromised accounts. The vulnerability does not affect availability directly but compromises confidentiality and integrity of user data and site content. Organizations with high traffic or sensitive user data are at greater risk, as the exploitation could lead to reputational damage, loss of user trust, and regulatory consequences if personal data is exposed. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as public disclosure may motivate attackers to develop exploits.

To mitigate this vulnerability, organizations should first check for updates or patches from the WPB Elementor Addons plugin vendor and apply them promptly once available. In the absence of an official patch, administrators should restrict Contributor-level access to only trusted users and review existing Contributor accounts for suspicious activity. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injections targeting the 'url' parameter can provide temporary protection. Additionally, site administrators should enable Content Security Policy (CSP) headers to limit the execution of unauthorized scripts and reduce the impact of XSS attacks. Regularly scanning the website for injected scripts and monitoring logs for unusual behavior can help detect exploitation attempts early. Educating content contributors about safe input practices and monitoring plugin usage can further reduce risk. Finally, consider disabling or replacing the vulnerable plugin if immediate patching is not feasible.