CVE-2024-8960 is a stored cross-site scripting vulnerability classified under CWE-79, found in the Cowidgets – Elementor Addons plugin for WordPress. This vulnerability affects all plugin versions up to and including 1.2.0. The root cause is insufficient input sanitization and output escaping of SVG file uploads, which allows authenticated users with Author-level access or higher to embed arbitrary JavaScript code within SVG files. When these SVG files are accessed by any user, the malicious scripts execute in the context of the victim’s browser, potentially compromising user sessions, stealing cookies, or performing unauthorized actions. The vulnerability is exploitable remotely over the network (AV:N), requires low attack complexity (AC:L), and privileges at the Author level (PR:L), but no user interaction (UI:N). The scope is changed (S:C) because the attack can affect other users beyond the attacker. The impact affects confidentiality and integrity but not availability, reflected in the CVSS score of 6.4. No patches or known exploits are currently available, but the vulnerability is publicly disclosed, increasing the risk of future exploitation. The plugin is widely used in WordPress sites that utilize Elementor page builder addons, making this a relevant threat for many websites relying on this ecosystem.

The primary impact of this vulnerability is the potential for attackers to execute arbitrary JavaScript in the browsers of users who view the malicious SVG files. This can lead to session hijacking, theft of sensitive information such as authentication tokens or cookies, unauthorized actions performed on behalf of users, and defacement or manipulation of website content. Since the vulnerability requires Author-level access, attackers must first compromise or have legitimate access to an account with such privileges, which is common in multi-author WordPress sites. The scope change means that the attack can affect other users beyond the attacker, increasing the risk to site visitors and administrators. Exploitation could undermine user trust, lead to data breaches, and damage organizational reputation. Organizations with high traffic or sensitive data on WordPress sites using this plugin are particularly at risk. Although no known exploits are reported yet, the public disclosure may prompt attackers to develop exploit code, increasing the urgency for mitigation.

1. Immediately update the Cowidgets – Elementor Addons plugin to a patched version once available from the vendor. 2. Until a patch is released, restrict Author-level user privileges to trusted personnel only and review user roles to minimize unnecessary elevated access. 3. Implement web application firewall (WAF) rules to detect and block malicious SVG uploads or suspicious script content within SVG files. 4. Disable SVG uploads if not required or use plugins that sanitize SVG files to remove embedded scripts. 5. Employ Content Security Policy (CSP) headers to restrict execution of inline scripts and limit the impact of XSS attacks. 6. Regularly audit user accounts and monitor logs for unusual upload activity or privilege escalations. 7. Educate site administrators and authors about the risks of uploading untrusted SVG files. 8. Consider isolating SVG content in sandboxed iframes or separate domains to contain potential script execution. These measures collectively reduce the attack surface and limit the potential damage from exploitation.