CVE-2024-54247

The ABCBiz Addons and Templates for Elementor WordPress plugin versions prior to 2.0.3 contain a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This flaw enables attackers with contributor-level access or higher to inject arbitrary JavaScript or HTML into posts or pages.

Exploitation requires the attacker to have an account with at least contributor privileges. The injected payload is stored on the server and executed when any user, including administrators and visitors, views the affected page. No direct user interaction beyond normal browsing is needed for the victim to trigger the script [1].

Successful exploitation allows an attacker to perform actions such as redirecting users to malicious sites, displaying unauthorized advertisements, stealing session cookies, or defacing the website. The CVSS score of 6.5 reflects the medium severity, with a network attack vector and low complexity [1].

Users are strongly advised to update the plugin to version 2.0.3 or later, which contains the fix. If updating is not immediately possible, consider restricting contributor and author roles or applying a virtual patch via a web application firewall. The plugin vendor has released a patched version addressing this vulnerability [1].