CVE-2024-43210

Vulnerability

The LA-Studio Element Kit for Elementor plugin (lastudio-element-kit) for WordPress contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of input during web page generation. Affected versions are from n/a through 1.3.9.2. Attackers with contributor-level access or higher can inject arbitrary web scripts into pages, which are executed when other users view the page.

Exploitation

An attacker must have at least Contributor-level access to the WordPress site and the ability to create or edit pages using Elementor. By crafting a malicious input in a widget field that is not sanitized, the attacker can inject JavaScript code. When an administrator or another user visits the compromised page, the script executes in the context of their browser.

Impact

Successful exploitation leads to stored XSS, allowing the attacker to perform actions such as stealing session cookies, defacing pages, or redirecting users to malicious sites. The impact is limited to the WordPress site and its users, but can lead to privilege escalation if an administrator is targeted.

Mitigation

The plugin has addressed this issue in version 1.3.9.3 or later, as indicated by changelog entries such as "Fixed security issue" in subsequent releases [1]. Users are strongly advised to update to the latest version (1.6.0 as of the reference) [1]. No workaround is available; updating is the recommended action.