CVE-2024-6495 is a stored cross-site scripting vulnerability identified in the Premium Addons for Elementor plugin for WordPress, affecting all versions up to and including 4.10.36. The flaw exists in the Animated Text widget due to improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of user-supplied attributes. Authenticated attackers with contributor-level access or higher can exploit this vulnerability by injecting arbitrary JavaScript code into pages. When other users visit these compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or other malicious activities. The vulnerability requires authentication but no additional user interaction, increasing its risk within environments where multiple users have editing privileges. The CVSS 3.1 base score of 6.4 reflects a medium severity, considering the network attack vector, low attack complexity, and partial impact on confidentiality and integrity but no impact on availability. No patches or exploits are currently publicly available, but the vulnerability is published and should be addressed promptly to avoid exploitation. This vulnerability falls under CWE-79, a common and well-understood category of web application security issues.

The primary impact of CVE-2024-6495 is the potential for attackers with contributor-level access to inject persistent malicious scripts into WordPress pages, which execute in the context of other users’ browsers. This can lead to session hijacking, theft of authentication tokens, unauthorized actions performed on behalf of users, defacement, or distribution of malware. For organizations, this undermines the integrity and confidentiality of their web presence and user data. Since the vulnerability requires authenticated access, the risk is higher in environments with multiple content editors or contributors, such as media companies, educational institutions, and large enterprises using WordPress for content management. The scope of impact includes any site using the vulnerable plugin version, potentially affecting thousands of websites worldwide. While availability is not impacted, the breach of trust and potential data leakage can cause reputational damage and compliance issues. The absence of known exploits in the wild currently limits immediate risk, but the vulnerability’s public disclosure increases the likelihood of future exploitation attempts.

Organizations should immediately verify if they use the Premium Addons for Elementor plugin and identify the version in use. Since no official patch is currently available, administrators should consider the following mitigations: restrict contributor-level access to trusted users only; implement strict user role management and auditing to minimize the number of users with editing privileges; apply web application firewall (WAF) rules to detect and block suspicious script injection attempts targeting the Animated Text widget; disable or remove the Animated Text widget if not essential; monitor logs and user activity for signs of exploitation; and prepare to apply official patches or updates from the vendor once released. Additionally, site owners should ensure that WordPress core and all plugins are kept up to date and consider employing Content Security Policy (CSP) headers to limit the impact of injected scripts. Regular security training for content editors can also reduce the risk of inadvertent exploitation.