CVE-2024-5612 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Essential Addons for Elementor Pro plugin for WordPress, specifically affecting all versions up to and including 5.8.15. The vulnerability stems from improper neutralization of input during web page generation, classified under CWE-79. The affected parameter is 'eael_lightbox_open_btn_icon' within the Lightbox & Modal widget, where insufficient input sanitization and output escaping allow an authenticated attacker with Contributor-level or higher privileges to inject arbitrary JavaScript code. This malicious script is stored persistently and executes in the context of any user who visits the infected page, potentially leading to session hijacking, data theft, or unauthorized actions performed on behalf of the user. The vulnerability requires no user interaction to trigger once the malicious content is loaded. The CVSS v3.1 base score is 6.4, indicating a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacts confidentiality and integrity with no availability impact. No public exploits have been reported yet, but the vulnerability poses a significant risk given the widespread use of Elementor Pro and its addons in WordPress sites. The flaw highlights the importance of proper input validation and output encoding in web applications, especially in plugins that extend popular CMS platforms.

The potential impact of CVE-2024-5612 is significant for organizations using WordPress sites with the Essential Addons for Elementor Pro plugin. Successful exploitation allows attackers with Contributor-level access to inject persistent malicious scripts that execute in the browsers of site visitors and administrators. This can lead to theft of sensitive information such as authentication cookies, enabling session hijacking and unauthorized access. It may also facilitate further attacks like privilege escalation, defacement, or distribution of malware. Since the vulnerability affects the confidentiality and integrity of user data and site content, organizations risk reputational damage, loss of customer trust, and compliance violations. The attack vector is remote and network-based, increasing the threat surface. Although exploitation requires authenticated access, Contributor-level permissions are commonly granted to many users, including content editors, increasing the likelihood of insider threats or compromised accounts being leveraged. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as proof-of-concept exploits may emerge. The vulnerability does not impact availability directly but can indirectly cause service disruption if exploited for further attacks.

To mitigate CVE-2024-5612, organizations should immediately update the Essential Addons for Elementor Pro plugin to a version that addresses this vulnerability once released by the vendor. Until a patch is available, restrict Contributor-level and higher permissions to trusted users only and audit existing user roles to minimize exposure. Implement Web Application Firewall (WAF) rules to detect and block malicious payloads targeting the 'eael_lightbox_open_btn_icon' parameter. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. Regularly scan WordPress sites for injected scripts or anomalies in page content. Educate site administrators and content contributors about the risks of XSS and safe content management practices. Additionally, consider disabling or limiting the use of the vulnerable Lightbox & Modal widget if feasible. Monitor security advisories from Essential Addons and WordPress security communities for updates and exploit reports. Finally, maintain comprehensive logging and alerting to detect suspicious activities indicative of exploitation attempts.