CVE-2024-8961 is a stored Cross-Site Scripting (XSS) vulnerability identified in the WordPress plugin Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders, maintained by wpdevteam. The vulnerability exists in all versions up to and including 6.0.7 due to insufficient sanitization and escaping of the 'nomore_items_text' parameter during web page generation. This flaw allows authenticated attackers with at least Contributor-level privileges to inject arbitrary JavaScript code into pages. Because the injected script is stored and executed whenever any user accesses the affected page, it can lead to persistent XSS attacks. The vulnerability exploits improper neutralization of input (CWE-79), a common web application security issue. The CVSS 3.1 base score of 6.4 reflects a medium severity, with an attack vector of network, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No public exploits have been reported yet, but the risk remains significant given the plugin's popularity. The vulnerability could be leveraged to steal cookies, perform actions on behalf of users, or deliver malware. The lack of an official patch at the time of disclosure necessitates immediate mitigation steps by administrators.

The impact of CVE-2024-8961 is primarily on the confidentiality and integrity of affected WordPress sites using the Essential Addons for Elementor plugin. Successful exploitation allows attackers with Contributor-level access to inject persistent malicious scripts, which execute in the context of any user visiting the compromised page. This can lead to session hijacking, theft of sensitive information, unauthorized actions such as content modification or user privilege escalation, and distribution of malware. Since the vulnerability does not affect availability, denial-of-service is unlikely. However, the scope change means the attacker's influence can extend beyond their own privileges, affecting other users including administrators. Organizations relying on this plugin for website functionality, especially those handling sensitive user data or e-commerce transactions, face reputational damage, data breaches, and potential regulatory consequences if exploited. The medium CVSS score reflects the need for timely remediation but indicates that exploitation requires authenticated access, somewhat limiting the threat surface.

To mitigate CVE-2024-8961, organizations should immediately restrict Contributor-level and higher privileges to trusted users only, minimizing the risk of malicious script injection. Until an official patch is released, administrators can implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the 'nomore_items_text' parameter. Employing Content Security Policy (CSP) headers can reduce the impact of injected scripts by restricting script execution sources. Regularly audit and sanitize user-generated content, especially from contributors, to identify and remove any injected scripts. Monitoring logs for unusual activity or changes in page content can help detect exploitation attempts early. Updating the plugin to a patched version once available is critical. Additionally, educating site administrators and contributors about the risks of injecting untrusted content and enforcing the principle of least privilege will reduce exposure. Backup website data regularly to enable recovery in case of compromise.