CVE-2024-5091 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the SKT Addons for Elementor plugin for WordPress, specifically affecting the Age Gate and Creative Slider widgets. The vulnerability results from insufficient sanitization of user-supplied input and lack of proper output escaping during web page generation. Authenticated attackers with contributor-level access or higher can inject arbitrary JavaScript code that is stored persistently and executed in the browsers of any users who visit the infected pages. This flaw allows attackers to perform a range of malicious actions, including stealing cookies or session tokens, defacing website content, or redirecting users to malicious sites. The vulnerability affects all versions up to and including 2.0 of the plugin. The CVSS v3.1 base score is 7.4, indicating high severity, with an attack vector of network, low attack complexity, privileges required at the contributor level, no user interaction needed, and a scope change. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk given the widespread use of Elementor and its addons in WordPress sites. The lack of patches or official fixes at the time of publication necessitates immediate mitigation efforts by site administrators.

The impact of CVE-2024-5091 is significant for organizations using the SKT Addons for Elementor plugin. Successful exploitation can lead to unauthorized script execution in the context of the affected website, compromising confidentiality by exposing user session cookies or credentials, integrity by allowing content manipulation or defacement, and availability by potentially enabling denial-of-service conditions through malicious scripts. Since the vulnerability requires only contributor-level authentication, attackers can leverage compromised or legitimate contributor accounts to escalate their impact. This threat can affect any WordPress site using the vulnerable plugin, including corporate websites, e-commerce platforms, and content portals, potentially damaging brand reputation and user trust. The scope of affected systems is broad due to the popularity of Elementor and its addons, and the vulnerability’s exploitation can facilitate further attacks such as phishing or malware distribution. The absence of known exploits in the wild currently limits immediate widespread damage but does not reduce the urgency for remediation.

To mitigate CVE-2024-5091, organizations should first verify if their WordPress installations use the SKT Addons for Elementor plugin and identify the version in use. Since no official patch is currently available, administrators should consider temporarily disabling the vulnerable widgets (Age Gate and Creative Slider) or the entire plugin if feasible. Restrict contributor-level access strictly to trusted users and audit existing contributor accounts for suspicious activity. Implement Web Application Firewall (WAF) rules to detect and block common XSS payloads targeting these widgets. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. Monitor website logs for unusual input patterns or script injections. Educate content contributors about the risks of injecting untrusted content. Once a patch is released, promptly apply updates. Additionally, consider using security plugins that provide enhanced input sanitization and output escaping for user-generated content.