CVE-2024-9376

The vulnerability is a stored cross-site scripting (XSS) flaw in the Kata Plus – Addons for Elementor plugin for WordPress. Affecting versions up to and including 1.4.7, the plugin fails to properly sanitize SVG file uploads, allowing malicious scripts to be embedded in uploaded SVG files due to insufficient input sanitization and output escaping.

Exploitation requires authenticated access with at least Author-level permissions. An attacker can upload a crafted SVG file containing JavaScript code as part of the file upload functionality provided by the plugin. The script then executes whenever any user accesses the uploaded SVG file, such as when viewing it in a browser.

Successful exploitation allows the attacker to inject arbitrary web scripts in the context of the affected website, leading to potential theft of sensitive information, session hijacking, or defacement.

The vendor has addressed this issue in later versions of the plugin, as indicated by security fixes in version 1.5.6 and subsequent releases [1]. Users are strongly advised to update to the latest available version.