CVE-2024-5576 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Tutor LMS Elementor Addons plugin for WordPress, affecting all versions up to 2.1.4. The vulnerability exists in the 'course_carousel_skin' attribute of the Course Carousel widget, where insufficient sanitization and output escaping allow authenticated users with contributor-level access or higher to inject arbitrary JavaScript code. This malicious code is stored persistently and executed whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or data theft. The vulnerability leverages CWE-79, indicating improper neutralization of input during web page generation. The attack vector is network-based with low attack complexity, requiring no user interaction but authenticated access with limited privileges. The scope is changed (S:C) because the vulnerability can affect other users beyond the attacker. The CVSS 3.1 score of 6.4 reflects a medium severity, with impacts on confidentiality and integrity but no direct availability impact. No known public exploits exist yet, and no official patches have been published at the time of disclosure. The vulnerability is significant because contributor-level users are common in WordPress environments, and the stored XSS can be used to compromise site visitors or administrators. Mitigation requires input validation, output escaping, and privilege management.

The primary impact of CVE-2024-5576 is the compromise of confidentiality and integrity within affected WordPress sites using the Tutor LMS Elementor Addons plugin. Attackers with contributor-level access can inject persistent malicious scripts that execute in the browsers of any user visiting the infected pages. This can lead to session hijacking, theft of sensitive information such as authentication tokens or personal data, unauthorized actions performed on behalf of users, and potential defacement or redirection to malicious sites. While availability is not directly impacted, the reputational damage and potential data breaches can be severe. Educational institutions, e-learning platforms, and organizations relying on Tutor LMS for online courses are at risk of losing user trust and facing compliance issues. Since contributor-level access is often granted to content creators or editors, the attack surface is broader than if only administrators could exploit this. The vulnerability could be leveraged as a foothold for further attacks within the WordPress environment or the hosting infrastructure.

To mitigate CVE-2024-5576, organizations should immediately restrict contributor-level privileges to trusted users only and audit existing users for unnecessary permissions. Implement strict input validation and output escaping for all user-supplied data in the Tutor LMS Elementor Addons plugin, especially the 'course_carousel_skin' attribute. Until an official patch is released, consider disabling or removing the vulnerable Course Carousel widget or the entire plugin if feasible. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious script injection attempts targeting this attribute. Monitor logs for unusual activity from contributor accounts and conduct regular security reviews of WordPress plugins. Educate content contributors about the risks of injecting untrusted content. Once a patch becomes available, apply it promptly. Additionally, consider implementing Content Security Policy (CSP) headers to reduce the impact of any injected scripts by restricting script execution sources.