CVE-2024-51674 is a DOM-based Cross-site Scripting (XSS) vulnerability found in the Sastra Essential Addons for Elementor plugin developed by Fast Themes. This plugin extends the Elementor page builder functionality for WordPress sites. The vulnerability stems from improper neutralization of user-supplied input during web page generation, which allows malicious actors to inject and execute arbitrary JavaScript code within the victim's browser context. This type of XSS is client-side (DOM-based), meaning the malicious payload is executed as a result of unsafe handling of data in the Document Object Model rather than server-side injection. The affected versions include all releases up to and including version 1.0.5. Exploitation typically involves tricking a user into visiting a specially crafted URL or interacting with a compromised page that contains the malicious script. Although no public exploits have been reported yet, the vulnerability can lead to serious consequences such as session hijacking, theft of sensitive information, unauthorized actions on behalf of the user, or redirection to phishing or malware sites. The vulnerability does not require authentication, increasing its risk profile. The lack of a CVSS score means severity must be assessed based on impact and exploitability factors. The plugin is widely used in WordPress sites that employ Elementor, a popular page builder, thus broadening the scope of affected systems. The vulnerability was publicly disclosed on November 9, 2024, with no patch currently available, emphasizing the need for immediate attention from site administrators.

The potential impact of CVE-2024-51674 is significant for organizations using the Sastra Essential Addons for Elementor plugin. Successful exploitation can compromise the confidentiality and integrity of user sessions by enabling attackers to execute arbitrary scripts in the victim’s browser. This can lead to session hijacking, theft of cookies or credentials, unauthorized actions performed on behalf of users, and distribution of malware or phishing attacks. For organizations, this can result in data breaches, reputational damage, loss of customer trust, and potential regulatory penalties if personal data is exposed. Since the vulnerability is DOM-based XSS, it primarily affects end-users interacting with the vulnerable web pages, but the resulting compromise can escalate to broader organizational impacts. The ease of exploitation without authentication and the widespread use of Elementor and its addons increase the risk and potential scale of attacks. Websites that rely on this plugin for critical business functions or handle sensitive user data are particularly vulnerable. The absence of a patch at the time of disclosure further elevates the risk until mitigations are applied.

1. Monitor the Fast Themes official channels and trusted vulnerability databases for the release of a security patch addressing CVE-2024-51674 and apply it immediately upon availability. 2. In the interim, disable or deactivate the Sastra Essential Addons for Elementor plugin if feasible, especially on high-risk or sensitive websites. 3. Implement strict Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. 4. Review and sanitize all user inputs and URL parameters used by the plugin manually if possible, applying rigorous output encoding to prevent script injection. 5. Educate users and administrators about the risks of clicking on suspicious links and encourage the use of security tools such as web application firewalls (WAFs) that can detect and block XSS payloads. 6. Conduct regular security audits and penetration testing focusing on client-side vulnerabilities in web applications using Elementor and its addons. 7. Keep WordPress core, themes, and all plugins updated to minimize exposure to known vulnerabilities.