CVE-2024-5006 identifies a stored cross-site scripting (XSS) vulnerability in the Boostify Header Footer Builder for Elementor plugin for WordPress, versions up to and including 1.3.2. The vulnerability stems from improper neutralization of user input during web page generation, specifically via the 'size' parameter. Authenticated attackers with Contributor-level privileges or higher can exploit this by injecting arbitrary JavaScript code into pages managed by the plugin. Because the malicious script is stored persistently, it executes in the context of any user who views the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability does not require user interaction beyond visiting the page and has a CVSS 3.1 base score of 6.4, reflecting medium severity. The attack vector is network-based with low attack complexity, requiring privileges but no user interaction. The scope is changed since the vulnerability affects all users who access the injected content. No patches are currently linked, so mitigation may require manual intervention or waiting for an official update. No known exploits are reported in the wild as of the publication date.

This vulnerability poses a significant risk to organizations running WordPress sites with the affected Boostify Header Footer Builder plugin. Exploitation can lead to unauthorized script execution in users' browsers, enabling session hijacking, credential theft, defacement, or redirection to malicious sites. Since Contributor-level access is sufficient to exploit the flaw, attackers who gain such access—through compromised accounts or insider threats—can leverage this vulnerability to escalate their impact. The persistent nature of stored XSS means that all visitors to the compromised pages are at risk, potentially affecting site reputation and user trust. While the vulnerability does not directly impact server availability or integrity, the confidentiality and integrity of user data and site content are at risk. This can lead to regulatory compliance issues, especially for sites handling sensitive user information. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often weaponize such vulnerabilities rapidly after disclosure.

Organizations should immediately audit their WordPress installations for the presence of the Boostify Header Footer Builder for Elementor plugin and verify the version in use. Since no official patch links are currently available, administrators should consider the following steps: restrict Contributor-level access to trusted users only, implement web application firewall (WAF) rules to detect and block suspicious payloads targeting the 'size' parameter, and apply manual input validation and output escaping in the plugin code if feasible. Monitoring logs for unusual activity related to page modifications or script injections is also recommended. Additionally, site owners should educate contributors about the risks of injecting untrusted content. Once an official patch is released, prompt updating is critical. Employing Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Regular backups and incident response plans should be in place to recover quickly if exploitation occurs.