CVE-2024-7064 is a stored Cross-Site Scripting (XSS) vulnerability identified in the ElementsKit Pro plugin for WordPress, a widely used toolkit for enhancing website functionality. This vulnerability arises from improper neutralization of input during web page generation (CWE-79), specifically due to insufficient input sanitization and output escaping in several parameters. It affects all versions up to and including 3.6.5. An attacker with authenticated access at the Contributor level or above can exploit this flaw by injecting arbitrary JavaScript code into pages generated by the plugin. Because the malicious script is stored, it executes every time any user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability does not require user interaction to trigger once the malicious content is stored, and the attacker only needs low privileges (Contributor role), which is commonly assigned in multi-user WordPress environments. The CVSS 3.1 base score is 6.4, reflecting medium severity with network attack vector, low attack complexity, and no user interaction required. The scope is changed (S:C), indicating that the vulnerability can affect resources beyond the initially vulnerable component. No known exploits are currently reported in the wild, but the presence of this vulnerability in a popular plugin makes it a notable risk. The lack of available patches at the time of reporting necessitates immediate attention from administrators.

The impact of CVE-2024-7064 is significant for organizations running WordPress sites with the ElementsKit Pro plugin installed. Successful exploitation allows attackers with relatively low privileges to inject persistent malicious scripts, which can compromise the confidentiality and integrity of user data by stealing session cookies, credentials, or performing actions on behalf of users. This can lead to account takeover, unauthorized content modification, or further privilege escalation. The availability impact is minimal, as the vulnerability does not directly cause denial of service. However, reputational damage and loss of user trust can be severe if customer data or site integrity is compromised. Since Contributor-level access is often granted to content creators or editors, insider threats or compromised accounts can be leveraged to exploit this vulnerability. The scope change means that the attack can affect other components or users beyond the initially vulnerable plugin, increasing the risk profile. Organizations with high-traffic WordPress sites, especially those handling sensitive user data or e-commerce transactions, face elevated risks from this vulnerability.

To mitigate CVE-2024-7064, organizations should immediately restrict Contributor-level and higher user permissions to trusted individuals only, minimizing the risk of malicious script injection. Administrators should monitor and audit user-generated content for suspicious scripts or unexpected changes. Employing Web Application Firewalls (WAFs) with custom rules to detect and block typical XSS payloads targeting ElementsKit Pro parameters can provide temporary protection. Until an official patch is released, consider disabling or uninstalling the ElementsKit Pro plugin if feasible. Additionally, implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on the website. Regularly update WordPress core and all plugins to the latest versions once patches become available. Conduct security awareness training for users with elevated privileges to recognize phishing or social engineering attempts that could lead to account compromise. Finally, perform routine security scans and penetration tests focusing on XSS vulnerabilities to detect similar issues proactively.