CVE-2024-3064
Description
Stored XSS vulnerability in the WordPress Stax plugin's Heading widget allows authenticated attackers with contributor-level access to inject arbitrary scripts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS vulnerability in the WordPress Stax plugin's Heading widget allows authenticated attackers with contributor-level access to inject arbitrary scripts.
The Stax Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via its 'Heading' widget in all versions up to and including 1.4.4.1. The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes, allowing malicious script injection [1].
An authenticated attacker with contributor-level access or higher can exploit this by inserting arbitrary web scripts through the Heading widget. The injected scripts are stored and will execute whenever a user accesses the affected page [1].
Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's browser, potentially leading to session hijacking, website defacement, or further attacks against other users [1].
Users are advised to update the plugin to the latest version beyond 1.4.4.1 to mitigate this vulnerability. No official patch has been confirmed for this specific issue, but the vendor may have addressed it in a subsequent release [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.