CVE-2024-34415

The Thim Elementor Kit plugin for WordPress, versions up to and including 1.1.8, contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This flaw permits authenticated attackers with appropriate privileges to inject arbitrary web scripts that are stored on the server.

Exploitation requires an attacker to have a user role capable of submitting input that is later displayed without sanitization. While the attack requires authenticated access, the injected payloads are executed in the browsers of other users or site visitors when they view the affected pages [1]. No direct user interaction beyond viewing the page is needed for execution.

Successful exploitation enables an attacker to inject malicious scripts such as redirects, advertisements, or other HTML payloads. These scripts run in the context of the visitor's session, potentially leading to phishing, defacement, or further compromise [1].

The vulnerability is addressed in version 1.1.9 of the plugin. Users are strongly advised to update to this version or later. Patchstack users can enable automatic updates for vulnerable plugins [1].