The themeworm Plexx Elementor Extension (versions up to 1.3.6) suffers from a DOM-based Cross-site Scripting vulnerability due to improper input neutralization during web page generation. This allows attackers with at least low privileges and requiring user interaction to execute scripts in the context of the affected web application, potentially leading to partial confidentiality, integrity, and availability impacts. The vulnerability is tracked as CVE-2024-49234 and has a CVSS 3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L). No patch or official fix information is currently available.

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the victim's browser within the context of the affected web application. This can lead to partial disclosure of sensitive information, modification of data, or disruption of availability. The attack requires at least low privileges and user interaction, and the scope is changed (S:C), meaning the impact crosses security boundaries.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch or official fix is available, consider limiting privileges of users who can interact with the extension and educate users to avoid interacting with suspicious content. Monitor vendor channels for updates regarding a fix.