CVE-2021-24260: 
WordPress vulnerability analysis and mitigation

The CVE-2021-24260 affects the 'Livemesh Addons for Elementor' WordPress Plugin versions before 6.8. This vulnerability was discovered in early 2021 and involves stored Cross-Site Scripting (XSS) vulnerabilities that can be exploited by lower-privileged users such as contributors (WPScan).

The vulnerability exists in several widgets within the plugin where parameters can be manipulated to execute malicious JavaScript. For example, the 'Heading' widget's 'titletag' parameter can be exploited by sending a 'savebuilder' request with malicious JavaScript. Similar vulnerabilities exist in the 'Pricing Table' widget via the 'plannametag' parameter and the 'Testimonials Slider' widget's 'title_tag' parameter. The CVSS v3.1 base score is 5.4 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (WPScan, NVD).

When exploited, this vulnerability allows lower-privileged users to inject and store malicious JavaScript code that executes when the affected pages are viewed or previewed by other users. This affects multiple widgets including Posts Carousel, Portfolio, Posts Gridbox Slider, Posts Multislider, Posts Slider, Services, Team Members, and Testimonials (WPScan).

The vulnerability has been patched in version 6.8 of the Livemesh Addons for Elementor plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).