CVE-2021-24259: 
WordPress vulnerability analysis and mitigation

The Elementor Addon Elements WordPress Plugin before version 1.11.2 was identified with CVE-2021-24259, a stored Cross-Site Scripting (XSS) vulnerability that affects several widgets within the plugin. The vulnerability was discovered and publicly disclosed on April 13, 2021, affecting installations of the addon-elements-for-elementor-page-builder plugin (WPScan).

The vulnerability allows lower-privileged users such as contributors to exploit multiple widgets through stored XSS attacks. The issue stems from several parameters that improperly handle HTML tags, including the 'fronttitlehtmltag' in the Flip Box widget, 'headingtag' and 'subheadingtag' in the Price Table widget, and similar parameters in Split Text, Text Separator, and Timeline widgets. The vulnerability received a CVSS score of 6.8 (medium) and is classified under CWE-79 (WPScan).

When exploited, the vulnerability allows attackers to inject and execute malicious JavaScript code that gets executed when saved pages are viewed or previewed. This affects the security of both administrators and site visitors, as the injected code persists in the database and executes whenever the affected page is accessed (WPScan).

The vulnerability was patched in version 1.11.2 of the Elementor Addon Elements plugin. Users are strongly advised to update to this version or later to protect against potential XSS attacks (WPScan, Wordfence).