CVE-2024-5092 is a stored cross-site scripting vulnerability classified under CWE-79, found in the Elegant Addons for Elementor WordPress plugin developed by aruphash. This vulnerability affects all versions up to and including 1.0.8. The root cause is insufficient sanitization and escaping of user-supplied input in the plugin's Switcher, Slider, and Iconbox widgets. Authenticated users with contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into pages via these widgets. Because the malicious script is stored, it executes every time a user visits the infected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of users with elevated privileges. The vulnerability requires no user interaction beyond visiting the affected page, but it does require the attacker to have authenticated contributor-level access, which limits the attack surface to some extent. The CVSS 3.1 base score is 6.4, reflecting medium severity with network attack vector, low attack complexity, and privileges required. No patches or exploits are currently publicly available, but the vulnerability poses a significant risk to WordPress sites using this plugin, especially those allowing contributor-level users to add or modify content. The scope of impact is high as it affects the confidentiality and integrity of user sessions and site content, though availability is not impacted.

The primary impact of CVE-2024-5092 is the compromise of confidentiality and integrity within affected WordPress sites. Attackers with contributor-level access can inject persistent malicious scripts that execute in the browsers of any users visiting the infected pages. This can lead to session hijacking, theft of authentication tokens, unauthorized actions performed on behalf of users, defacement, or distribution of malware. For organizations, this can result in data breaches, loss of user trust, and reputational damage. Since contributor-level access is required, the threat is heightened in environments where multiple users have content creation privileges or where user accounts are not tightly controlled. The vulnerability does not affect availability directly but can be leveraged as a stepping stone for further attacks. Given the widespread use of Elementor and its addons in WordPress sites globally, the potential impact is significant, especially for businesses relying on these plugins for critical web presence or e-commerce.

To mitigate CVE-2024-5092, organizations should first verify if they use the Elegant Addons for Elementor plugin and identify the version in use. Immediate steps include: 1) Updating the plugin to a fixed version once released by the vendor; 2) Restricting contributor-level access to trusted users only, minimizing the risk of malicious input; 3) Implementing a Web Application Firewall (WAF) with rules to detect and block common XSS payloads targeting the affected widgets; 4) Conducting regular audits of user-generated content in the Switcher, Slider, and Iconbox widgets to detect suspicious scripts; 5) Employing Content Security Policy (CSP) headers to limit the execution of unauthorized scripts; 6) Educating site administrators and contributors about the risks of injecting untrusted content; 7) Temporarily disabling or removing the vulnerable widgets if patching is not immediately possible. These measures combined reduce the attack surface and limit the potential damage until a vendor patch is available.