CVE-2024-9994 is a stored Cross-Site Scripting (XSS) vulnerability found in the WordPress plugin 'Essential Addons for Elementor – Popular Elementor Templates and Widgets,' developed by wpdevteam. This vulnerability specifically affects the Pricing Table Widget component, where the parameter 'eael_pricing_item_tooltip_content' does not properly sanitize or escape user-supplied input. As a result, authenticated users with contributor-level permissions or higher can inject arbitrary JavaScript code into pages. When other users visit these compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the affected WordPress site. The vulnerability affects all plugin versions up to and including 6.1.12. The CVSS v3.1 base score is 6.4, indicating a medium severity level. The attack vector is network-based with low attack complexity, requiring privileges equivalent to contributor access but no user interaction is needed for exploitation. The scope is changed because the vulnerability allows an attacker to affect other users beyond their own privileges. No known exploits are currently reported in the wild, and no official patches have been linked yet. This vulnerability falls under CWE-79, which concerns improper neutralization of input during web page generation, a common cause of XSS issues.

For European organizations using WordPress websites with the Essential Addons for Elementor plugin, this vulnerability poses a significant risk to website integrity and user trust. Attackers with contributor-level access—often content creators or editors—can inject malicious scripts that execute in the browsers of site visitors or administrators. This can lead to theft of authentication cookies, enabling session hijacking, unauthorized actions such as content defacement, or even further compromise of the website backend. Given the widespread use of WordPress and Elementor in Europe for corporate, governmental, and e-commerce websites, exploitation could result in reputational damage, data breaches involving personal data protected under GDPR, and potential financial losses. The vulnerability does not directly impact availability but compromises confidentiality and integrity. Since contributor-level access is required, the threat is somewhat mitigated by proper access controls, but insider threats or compromised contributor accounts increase risk. The lack of user interaction for exploitation means that once the malicious script is injected, any visitor to the affected page is at risk. This could also facilitate phishing or drive-by malware attacks targeting European users.

European organizations should immediately audit their WordPress installations for the presence of the Essential Addons for Elementor plugin and verify the version in use. Until an official patch is released, organizations should restrict contributor-level permissions to trusted users only and consider temporarily disabling or removing the Pricing Table Widget functionality if feasible. Implementing Web Application Firewall (WAF) rules to detect and block suspicious script injections targeting the 'eael_pricing_item_tooltip_content' parameter can provide interim protection. Additionally, applying Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting the execution of unauthorized JavaScript. Regularly monitoring logs for unusual activity or unexpected content changes in pricing tables is recommended. Organizations should also educate content contributors about the risks of uploading untrusted content and enforce strong authentication mechanisms to prevent account compromise. Once a patch is available, prompt updating of the plugin is critical. Finally, conducting a thorough security review of user roles and permissions within WordPress can reduce the attack surface.