CVE-2024-5001 is a stored Cross-Site Scripting (XSS) vulnerability affecting the 'Image Hover Effects for Elementor with Lightbox and Flipbox' WordPress plugin developed by biplob018. The vulnerability arises from improper neutralization of input during web page generation, specifically in the '_id', 'oxi_addons_f_title_tag', and 'content_description_tag' parameters. These parameters are insufficiently sanitized and escaped, allowing authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing unauthorized actions. The vulnerability affects all versions up to and including 3.0.2. The CVSS v3.1 base score is 6.4, indicating medium severity, with an attack vector over the network, low attack complexity, requiring privileges (Contributor or above), no user interaction, and scope change. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk on multi-user WordPress sites where contributors can add or edit content. The flaw is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability was publicly disclosed on June 6, 2024, and no official patches or updates have been linked yet. The risk is heightened by the plugin's popularity among Elementor users who rely on visual effects for image presentation, making it a valuable target for attackers aiming to leverage stored XSS for persistent attacks.

The primary impact of CVE-2024-5001 is the ability for authenticated users with Contributor-level access or higher to inject persistent malicious scripts into WordPress pages. This can lead to session hijacking, theft of sensitive information such as cookies or credentials, defacement of website content, unauthorized actions performed on behalf of other users, and potential distribution of malware. Since the vulnerability is stored XSS, the malicious payload persists in the website's database and affects all users who view the compromised content, increasing the attack surface. Organizations running multi-author WordPress sites with this plugin are at risk of internal threat actors or compromised contributor accounts exploiting this flaw. The vulnerability can undermine user trust, damage brand reputation, and lead to regulatory compliance issues if sensitive user data is exposed. Although no known exploits are reported, the medium CVSS score and ease of exploitation by authenticated users make it a credible threat. The scope includes all websites using the affected plugin versions, particularly those with active contributor roles and public-facing content. The lack of user interaction required for exploitation further increases the risk.

To mitigate CVE-2024-5001, organizations should immediately audit their WordPress installations to identify the use of the 'Image Hover Effects for Elementor with Lightbox and Flipbox' plugin and verify the version in use. Since no official patch is currently linked, administrators should consider temporarily disabling or uninstalling the plugin until a fixed version is released. Restrict Contributor-level permissions to trusted users only and review existing content for suspicious scripts or injected code. Implement Web Application Firewall (WAF) rules to detect and block malicious payloads targeting the vulnerable parameters ('_id', 'oxi_addons_f_title_tag', 'content_description_tag'). Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Regularly monitor logs and user activities for signs of exploitation attempts. Educate content contributors about the risks of injecting untrusted HTML or scripts. Once a patch is available, apply it promptly and test the site for residual vulnerabilities. Additionally, consider using security plugins that sanitize user inputs and outputs to reduce the risk of XSS vulnerabilities.