CVE-2024-5189 is a stored cross-site scripting (XSS) vulnerability identified in the WordPress plugin Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders, affecting all versions up to and including 5.9.23. The root cause is insufficient sanitization and escaping of the 'custom_js' parameter, which is used during web page generation. Authenticated attackers with Contributor-level privileges or higher can exploit this flaw by injecting arbitrary JavaScript code into pages. Because the malicious script is stored persistently, it executes every time a user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of the user. The vulnerability does not require user interaction beyond page access and has a CVSS 3.1 base score of 6.4, reflecting medium severity. The attack vector is network-based with low attack complexity, requiring privileges but no UI interaction. The scope is changed (S:C) because the vulnerability affects resources beyond the attacker’s privileges, potentially impacting other users. No public exploits are known yet, but the widespread use of the plugin and the commonality of Contributor roles in WordPress sites make this a significant risk. The vulnerability is categorized under CWE-79, which relates to improper neutralization of input during web page generation, a classic XSS issue. No official patches or updates are linked yet, so mitigation relies on access control and input validation measures.

This vulnerability can lead to significant security risks for organizations running WordPress sites with the affected plugin. Attackers with Contributor-level access can inject malicious scripts that execute in the context of other users, potentially leading to session hijacking, theft of sensitive information such as cookies or credentials, unauthorized actions performed on behalf of users, and defacement or manipulation of website content. Since the vulnerability affects the integrity and confidentiality of user data and site content, it undermines trust and can result in reputational damage. The availability impact is minimal as the vulnerability does not cause denial of service. However, the scope change means that attackers can escalate their influence beyond their assigned privileges, increasing the threat severity. Organizations with multiple contributors or editors are at higher risk. The widespread use of Elementor and its addons globally means many websites could be exposed, including e-commerce, corporate, and informational sites. Exploitation could also facilitate further attacks such as phishing or malware distribution through compromised pages.

Organizations should immediately review user roles and restrict Contributor-level access to trusted users only, minimizing the risk of malicious script injection. Until an official patch is released, consider disabling or removing the Essential Addons for Elementor plugin if feasible. Implement web application firewall (WAF) rules to detect and block suspicious input patterns targeting the 'custom_js' parameter. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected sites. Conduct thorough input validation and output encoding on any user-supplied data within custom code or theme files to reduce XSS risks. Monitor site logs for unusual activity or script injections. Educate site administrators and contributors about the risks of injecting custom JavaScript. Once a patch is available, prioritize prompt updating of the plugin to the fixed version. Additionally, consider implementing multi-factor authentication (MFA) for all users with elevated privileges to reduce the risk of account compromise.