CVE-2024-5341 is a stored cross-site scripting vulnerability identified in The Plus Addons for Elementor Page Builder plugin for WordPress, affecting all versions up to and including 5.5.4. The vulnerability stems from improper neutralization of user-supplied input in the 'size' attribute of the Heading Title widget. Specifically, the plugin fails to adequately sanitize and escape this attribute, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the malicious scripts execute in their browsers, potentially compromising user sessions, stealing credentials, or performing unauthorized actions within the context of the affected site. The vulnerability requires no user interaction beyond viewing the infected page and does not require higher privileges than contributor access, which is commonly granted to content editors. The CVSS 3.1 base score of 6.4 reflects a medium severity rating, with attack vector being network-based, low attack complexity, and privileges required being low. The scope is changed because the vulnerability affects other users beyond the attacker. No known public exploits have been reported yet, but the risk remains significant due to the widespread use of the plugin and WordPress platform. The vulnerability highlights the importance of proper input validation and output encoding in web applications, especially in plugins that allow user-generated content. Until a patch is released, administrators should consider restricting contributor permissions or monitoring inputs to mitigate risk.

The impact of CVE-2024-5341 is primarily on the confidentiality and integrity of affected WordPress sites and their users. Successful exploitation allows an attacker with contributor-level access to inject persistent malicious scripts that execute in the browsers of any user visiting the compromised pages. This can lead to session hijacking, theft of authentication tokens, defacement of website content, or redirection to malicious sites. For organizations, this can result in reputational damage, loss of user trust, and potential data breaches. Since contributor-level access is relatively low privilege, many organizations with multiple content editors are at risk. The vulnerability does not directly affect availability but can indirectly cause service disruption if exploited for defacement or malware distribution. The scope of the attack extends beyond the attacker’s own account, affecting all visitors to the infected pages. Given the popularity of Elementor and its addons, many websites globally could be impacted, especially those that allow multiple contributors and have not yet updated or mitigated the vulnerability.

1. Apply patches or updates from The Plus Addons for Elementor Page Builder plugin as soon as they become available to address the input sanitization and output escaping issues. 2. Until a patch is released, restrict contributor-level permissions to trusted users only, minimizing the risk of malicious script injection. 3. Implement a web application firewall (WAF) with rules to detect and block common XSS payloads targeting the 'size' attribute or similar vectors in Elementor widgets. 4. Conduct regular security audits and code reviews of user-generated content inputs, especially in plugins that allow rich content editing. 5. Enable Content Security Policy (CSP) headers to reduce the impact of XSS by restricting script execution sources. 6. Educate content contributors about safe content practices and the risks of injecting untrusted code. 7. Monitor website logs and user activity for unusual behavior that may indicate exploitation attempts. 8. Consider disabling or limiting the use of the vulnerable Heading Title widget if feasible until a fix is applied.