CVE-2024-9867 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the Element Pack Elementor Addons plugin for WordPress, specifically affecting components such as Header Footer, Template Library, Dynamic Grid & Carousel, and Remote Arrows. The vulnerability exists due to insufficient sanitization and escaping of user-supplied input in the 'marker_content' parameter of the Open Map Widget. Authenticated users with Contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing actions on behalf of victims. The vulnerability affects all versions up to and including 5.10.2. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) indicates network attack vector, low attack complexity, requiring privileges and user interaction, with a scope change and limited confidentiality and integrity impact but no availability impact. No public exploits are known, but the vulnerability poses a risk in environments with multiple contributors and public content. The lack of a patch link suggests a fix may be pending or not yet publicly released, emphasizing the need for mitigation strategies.

The impact of CVE-2024-9867 is primarily on the confidentiality and integrity of affected WordPress sites. Exploitation allows attackers to execute arbitrary JavaScript in the context of the victim's browser, which can lead to session hijacking, theft of sensitive information, defacement, or distribution of malware. Since the vulnerability requires authenticated access at Contributor level or above, the risk is higher in environments with multiple users who have content editing privileges. Public-facing websites using the vulnerable plugin are at risk of reputational damage and user trust erosion if exploited. The scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the initially compromised component, potentially impacting other parts of the site or user data. Although no availability impact is noted, the indirect consequences of successful exploitation can be severe, including unauthorized actions performed on behalf of users. Organizations relying on this plugin without strict user access controls or monitoring are particularly vulnerable.

Organizations should immediately review user roles and permissions to restrict Contributor-level or higher access to trusted personnel only. Until an official patch is released, consider disabling or removing the vulnerable Element Pack Elementor Addons plugin components, especially the Open Map Widget. Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the 'marker_content' parameter. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. Regularly audit and sanitize user-generated content before publishing. Monitor logs for unusual activity related to plugin usage or script injections. Stay updated with vendor announcements for patches and apply them promptly once available. Additionally, educate content contributors about the risks of injecting untrusted content and enforce secure development and content management practices.