CVE-2024-5332 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, found in the Exclusive Addons for Elementor plugin for WordPress, specifically in the Card widget component. The vulnerability exists due to insufficient sanitization and escaping of user-supplied input attributes before rendering them in web pages. Authenticated users with contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into pages or posts via the vulnerable widget. Once injected, the malicious scripts persist in the content and execute in the browsers of any users who visit the affected pages, potentially compromising their session cookies, enabling unauthorized actions, or redirecting users to malicious sites. The vulnerability affects all versions up to and including 2.6.9.8. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges (PR:L), no user interaction, and a scope change (S:C). The impact includes limited confidentiality and integrity loss but no availability impact. No official patches or exploit code are currently publicly available, but the vulnerability is published and should be addressed promptly. This vulnerability is particularly concerning for sites that allow multiple contributors and have high traffic, as it can be leveraged to compromise site visitors or escalate privileges internally.

The primary impact of this vulnerability is the potential for attackers with contributor-level access to inject persistent malicious scripts into WordPress pages, which execute in the browsers of site visitors and administrators. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, defacement, or distribution of malware. While the vulnerability does not directly affect availability, the integrity and confidentiality of site data and user sessions are at risk. Organizations relying on the Exclusive Addons for Elementor plugin may face reputational damage, loss of user trust, and potential regulatory consequences if user data is compromised. The requirement for contributor-level access limits exploitation to insiders or compromised accounts, but many WordPress sites have multiple contributors, increasing the attack surface. The scope change in the CVSS vector indicates that the vulnerability affects resources beyond the initially vulnerable component, potentially impacting the entire site or user base.

To mitigate this vulnerability, organizations should immediately update the Exclusive Addons for Elementor plugin to a version that addresses this issue once released by the vendor. Until a patch is available, restrict contributor-level access to trusted users only and review user permissions to minimize the number of users with such privileges. Implement web application firewalls (WAFs) with rules designed to detect and block XSS payloads targeting the plugin's Card widget. Conduct regular security audits and content reviews to identify and remove any injected malicious scripts. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on the site. Additionally, educate contributors about safe content practices and monitor logs for suspicious activities. Consider isolating or disabling the vulnerable widget if it is not essential to site functionality. Finally, maintain regular backups to enable rapid recovery if exploitation occurs.