CVE-2024-5555 is a stored cross-site scripting vulnerability identified in the bdthemes Element Pack Elementor Addons plugin for WordPress, specifically impacting components such as Header Footer, Template Library, Dynamic Grid & Carousel, and Remote Arrows. The vulnerability stems from improper neutralization of input during web page generation, classified under CWE-79. The 'social-link-title' parameter fails to adequately sanitize and escape user-supplied input, allowing authenticated users with Contributor-level or higher privileges to inject arbitrary JavaScript code into pages. When other users access these pages, the malicious scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing unauthorized actions within the context of the affected site. The vulnerability affects all plugin versions up to and including 5.6.5. The CVSS v3.1 base score is 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges (Contributor or above), no user interaction, and scope change due to impact on other users. No public exploits have been reported yet, but the vulnerability poses a significant risk given the widespread use of WordPress and the plugin. The issue was published on July 18, 2024, and assigned by Wordfence. No official patches have been linked yet, emphasizing the need for proactive mitigation.

The primary impact of CVE-2024-5555 is the compromise of confidentiality and integrity within affected WordPress sites. Attackers with Contributor-level access can inject persistent malicious scripts that execute in the browsers of site visitors and administrators. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, defacement, or distribution of malware. Although availability is not directly affected, the reputational damage and potential data breaches can be severe. Organizations relying on this plugin for critical website functionality risk exposure to targeted attacks, especially if they have multiple contributors or less stringent user role management. The vulnerability's exploitation scope includes all users who view the injected content, potentially amplifying the impact. Given WordPress's dominant market share in content management systems, the threat affects a broad range of industries globally, from e-commerce to media and government websites.

1. Immediate mitigation involves restricting Contributor-level and higher privileges to trusted users only, minimizing the risk of malicious input injection. 2. Monitor and audit user-generated content, especially fields related to 'social-link-title' or similar parameters, for suspicious scripts or anomalies. 3. Implement Web Application Firewalls (WAFs) with custom rules to detect and block typical XSS payloads targeting this plugin's parameters. 4. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected sites. 5. Regularly update the Element Pack Elementor Addons plugin once an official patch is released by bdthemes. 6. Consider temporarily disabling or removing the vulnerable plugin components if immediate patching is not feasible. 7. Educate site administrators and contributors about safe input practices and the risks of XSS vulnerabilities. 8. Conduct thorough security assessments and penetration testing focusing on user input handling in WordPress plugins.