CVE-2024-8858 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79 affecting the Elementor Addons by Livemesh plugin for WordPress. The vulnerability exists due to insufficient sanitization and escaping of the 'piechart_settings' parameter, which allows an authenticated attacker with Contributor-level or higher privileges to inject arbitrary JavaScript code into pages. When other users access these compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or other malicious actions. The vulnerability affects all versions up to and including 8.5 of the plugin. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, privileges required, no user interaction, and a scope change. The impact primarily affects confidentiality and integrity but does not affect availability. No public exploits are currently known, but the vulnerability's presence in a widely used WordPress plugin makes it a significant concern. The issue was publicly disclosed on September 25, 2024, and no official patches have been linked yet, emphasizing the need for immediate mitigation steps by administrators.

The vulnerability allows authenticated users with Contributor-level access or higher to inject malicious scripts that execute in the browsers of other users viewing the affected pages. This can lead to theft of session cookies, unauthorized actions performed on behalf of other users, defacement, or distribution of malware. For organizations, this undermines the confidentiality and integrity of their web applications and user data. Since WordPress powers a significant portion of the web, and Elementor Addons by Livemesh is a popular plugin, the scope of affected systems is broad. Attackers exploiting this vulnerability could compromise user accounts, escalate privileges, or conduct further attacks within the network. The lack of required user interaction facilitates automated exploitation once the malicious content is injected. Although availability is not directly impacted, the reputational damage and potential data breaches can have severe operational and financial consequences.

1. Immediately update the Elementor Addons by Livemesh plugin to a patched version once available from the vendor. 2. Until a patch is released, restrict Contributor-level and higher privileges to trusted users only, minimizing the risk of malicious script injection. 3. Implement a Web Application Firewall (WAF) with rules to detect and block suspicious payloads targeting the 'piechart_settings' parameter. 4. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 5. Regularly audit user-generated content and plugin configurations for suspicious or unexpected scripts. 6. Educate site administrators and users about the risks of XSS and the importance of privilege management. 7. Monitor logs for unusual activity related to page edits or script injections. 8. Consider disabling or replacing the vulnerable plugin if immediate patching is not feasible.