CVE-2024-6575 is a stored cross-site scripting (XSS) vulnerability identified in The Plus Addons for Elementor plugin, which provides additional widgets, page templates, and WooCommerce integrations for the popular Elementor page builder on WordPress. The vulnerability specifically targets the 'res_width_value' parameter within the tp_page_scroll widget. Due to improper neutralization of input (CWE-79), the plugin fails to adequately sanitize and escape user-supplied input before rendering it on web pages. This allows an authenticated attacker with at least Contributor-level privileges to inject arbitrary JavaScript code that is persistently stored and executed in the context of any user who views the affected page. The vulnerability does not require user interaction beyond page access and can lead to session hijacking, privilege escalation, or distribution of malware. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, privileges required, no user interaction, and partial impact on confidentiality and integrity. The scope is changed as the vulnerability affects multiple users beyond the attacker. No patches or exploits are currently publicly available, but the risk remains significant due to the plugin's popularity and the common use of Contributor roles in WordPress sites.

The impact of CVE-2024-6575 is primarily on the confidentiality and integrity of affected WordPress sites. Attackers can inject malicious scripts that execute in the browsers of site visitors and administrators, potentially stealing authentication cookies, performing actions on behalf of users, or defacing websites. This can lead to unauthorized access, data leakage, and reputational damage. Since the vulnerability requires only Contributor-level access, attackers who compromise or register such accounts can leverage this flaw to escalate their privileges or compromise higher-privileged users. The widespread use of Elementor and its addons means many websites, including e-commerce stores using WooCommerce, blogs, and corporate sites, are at risk. The vulnerability does not directly affect availability but can indirectly cause service disruption through defacement or administrative lockout. Organizations relying on this plugin must consider the risk of persistent XSS attacks that can undermine user trust and site security.

To mitigate CVE-2024-6575, organizations should first update The Plus Addons for Elementor plugin to a version that addresses this vulnerability once released by the vendor. Until a patch is available, administrators should restrict Contributor-level access strictly and audit existing user roles to minimize the number of users who can exploit this flaw. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injections targeting the 'res_width_value' parameter can reduce exploitation risk. Additionally, site owners should enable Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Regularly scanning the website for injected scripts and monitoring logs for suspicious activity can help detect exploitation attempts early. Educating users about the risks of privilege misuse and enforcing strong authentication controls further reduce the attack surface. Finally, consider disabling or removing unused widgets or addons that increase the attack surface.