CVE-2024-7791 is a stored Cross-Site Scripting (XSS) vulnerability identified in the 140+ Widgets | Xpro Addons For Elementor – FREE WordPress plugin, specifically within the Post Grid widget's 'arrow' parameter. This vulnerability stems from insufficient input sanitization and output escaping, which allows malicious scripts to be stored persistently in the website's content. Authenticated attackers with Contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into pages rendered by the vulnerable widget. When other users access these pages, the injected scripts execute in their browsers, potentially compromising user sessions, stealing sensitive data, or performing unauthorized actions on behalf of the victim. The vulnerability affects all plugin versions up to and including 1.4.4.3. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and requiring privileges but no user interaction. The scope is changed, indicating that the vulnerability affects components beyond the initially vulnerable module. No public exploits have been reported yet, but the vulnerability's presence in a widely used WordPress plugin makes it a significant risk. The root cause is the failure to properly neutralize input during web page generation, classified under CWE-79. Since the vulnerability requires authenticated access, it limits exploitation to users with some level of trust, but Contributor-level access is common in many WordPress environments, increasing the risk.

The impact of CVE-2024-7791 is significant for organizations using the affected WordPress plugin. Successful exploitation can lead to persistent XSS attacks that compromise the confidentiality and integrity of user sessions and data. Attackers can hijack administrator or editor sessions, deface websites, inject phishing content, or perform actions on behalf of legitimate users, potentially leading to broader compromise of the WordPress environment. Since the vulnerability requires authenticated access at Contributor level or above, insider threats or compromised user accounts can be leveraged to exploit this flaw. The scope change in the CVSS vector indicates that the vulnerability affects multiple components or privileges beyond the initial context, potentially amplifying the damage. Organizations relying on this plugin for content presentation are at risk of reputational damage, data leakage, and unauthorized administrative actions. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as proof-of-concept code may emerge. Given the widespread use of Elementor and its addons, the potential attack surface is large, affecting websites globally.

To mitigate CVE-2024-7791, organizations should immediately update the 140+ Widgets | Xpro Addons For Elementor – FREE plugin to a patched version once available. Until a patch is released, administrators should restrict Contributor-level and higher permissions to trusted users only, minimizing the risk of malicious script injection. Implement Web Application Firewall (WAF) rules that detect and block suspicious input patterns targeting the 'arrow' parameter or Post Grid widget. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. Regularly audit user roles and permissions to ensure minimal necessary access. Additionally, monitor website content for unexpected script injections or anomalies. Developers and site administrators should review and harden input validation and output encoding practices in custom widgets or plugins. Finally, maintain regular backups and incident response plans to quickly recover from potential compromises.