CVE-2024-1171

Vulnerability

The Essential Addons for Elementor plugin for WordPress (versions up to and including 5.9.8) contains a stored cross-site scripting vulnerability in the Filterable Gallery Widget. Insufficient input sanitization and output escaping allow authenticated users with contributor-level or higher permissions to inject arbitrary web scripts. [1]

Exploitation

An attacker must have a WordPress account with at least contributor-level permissions. They can create or edit a post/page containing the Filterable Gallery Widget and inject malicious script code into the widget's settings. When any user (including administrators) views the affected page, the script executes. [1]

Impact

Successful exploitation leads to stored XSS, enabling the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can result in session hijacking, defacement, or redirection to malicious sites. The attack is persistent and affects all visitors to the compromised page. [1]

Mitigation

The vulnerability is fixed in version 5.9.9 of the plugin, as indicated by the changeset [2]. Users should update to version 5.9.9 or later immediately. No workaround is available. The plugin is actively maintained and not listed on CISA's Known Exploited Vulnerabilities catalog as of publication. [2]