CVE-2024-49667 identifies a stored cross-site scripting (XSS) vulnerability in the Local Business Addons For Elementor plugin developed by Asaduzzaman Abir, specifically within the map-addons-for-elementor-waze-map feature. This vulnerability arises from improper neutralization of input during web page generation, allowing malicious scripts to be injected and stored within the plugin's data. When a user accesses a page containing the injected payload, the malicious script executes in the context of the victim's browser, potentially leading to session hijacking, credential theft, or unauthorized actions on behalf of the user. The affected versions include all releases up to and including version 1.1.5. The vulnerability does not require authentication, meaning any unauthenticated attacker can exploit it by submitting crafted input that gets stored and later rendered. No CVSS score has been assigned yet, and no public exploits have been reported. However, the nature of stored XSS vulnerabilities typically allows attackers to persist malicious code, increasing the risk of widespread compromise. The plugin is used within WordPress environments, often by small to medium businesses leveraging Elementor for website building. The vulnerability stems from insufficient input validation and output encoding when generating web pages, a common weakness in web applications that handle user-generated content.

The impact of CVE-2024-49667 is significant for organizations using the Local Business Addons For Elementor plugin. Successful exploitation can lead to the execution of arbitrary JavaScript in users' browsers, enabling attackers to steal sensitive information such as cookies, session tokens, or personal data. This can facilitate account takeover, privilege escalation, or further attacks like phishing and malware distribution. The stored nature of the XSS means the malicious payload persists on the website, potentially affecting all visitors to the compromised pages. This undermines user trust and can lead to reputational damage, regulatory penalties (especially under data protection laws like GDPR), and financial losses. Since the plugin is integrated into WordPress sites, which are widely used globally, the scope of affected systems is broad. The lack of authentication requirement lowers the barrier to exploitation, increasing the likelihood of attacks. Additionally, compromised sites can be used as a vector for supply chain attacks or to distribute malware to visitors. Organizations relying on this plugin for business-critical websites face risks to confidentiality, integrity, and availability of their web services.

To mitigate the risk posed by CVE-2024-49667, organizations should immediately check for updates or patches from the plugin vendor and apply them as soon as they become available. In the absence of an official patch, administrators should consider temporarily disabling the vulnerable plugin or removing the affected map-addons-for-elementor-waze-map functionality. Implement strict input validation and output encoding on all user-supplied data to prevent injection of malicious scripts. Employ Web Application Firewalls (WAFs) with rules designed to detect and block XSS payloads targeting this plugin. Limit user permissions to reduce the ability of untrusted users to submit content that could be exploited. Conduct regular security audits and scanning of WordPress sites to detect malicious scripts or indicators of compromise. Educate site administrators and developers on secure coding practices and the risks of stored XSS. Monitor security advisories related to this plugin and the broader Elementor ecosystem to stay informed of emerging threats and fixes. Finally, consider implementing Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers.