CVE-2024-54260
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in blazethemes News Kit Elementor Addons news-kit-elementor-addons allows Stored XSS.This issue affects News Kit Elementor Addons: from n/a through <= 1.4.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in News Kit Elementor Addons allows authenticated attackers to inject scripts via unescaped input, affecting versions ≤1.4.2.
Vulnerability
Summary The vulnerability is a stored cross-site scripting (XSS) issue in the WordPress plugin News Kit Elementor Addons, versions up to and including 1.4.2. The plugin fails to properly neutralize user input during web page generation, leading to a stored XSS flaw [1].
Attack
Vector and Requirements Exploitation requires a user with at least Contributor-level privileges (or equivalent) to inject malicious scripts. The attacker can craft input that, when saved by the plugin, executes in the context of any visitor's browser. No direct user interaction is needed from the victim beyond normal browsing [1].
Impact
A successful attack allows an authenticated user to inject arbitrary JavaScript or HTML, which executes when other users or site visitors view the affected page. This could lead to session hijacking, redirection to malicious sites, or defacement [1].
Mitigation
Users should update the plugin to version 1.4.3 or later. No workaround is available; updating is the only effective remediation [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=1.4.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.