CVE-2021-24292: 
WordPress vulnerability analysis and mitigation

CVE-2021-24292 affects the Happy Addons for Elementor WordPress plugin (both Free < 2.24.0 and Pro < 1.17.0 versions). The vulnerability was discovered by Ramuel Gall and publicly disclosed on April 26, 2021. This security issue involves stored Cross-Site Scripting (XSS) vulnerabilities that can be exploited by users with lower-level privileges such as contributors (WPScan).

The vulnerability exists in multiple widgets within the plugin, primarily centered around the manipulation of the 'titletag' parameter. The exploit method involves sending a 'savebuilder' request with the 'heading_tag' set to 'script' and injecting JavaScript code in the 'title' parameter. The vulnerability has been assigned a CVSS score of 6.8 (medium) and is classified as CWE-79. Affected widgets include Card, fun-factor, gradient-heading, icon-box, infobox, member, post-list, review, and step-flow components (WPScan).

When exploited, the vulnerability allows lower-privileged users such as contributors to inject and store malicious JavaScript code that executes when the affected page is viewed or previewed by other users. This creates a potential for unauthorized script execution in the context of other users' browsers (WPScan).

The vulnerability has been patched in Happy Addons for Elementor Free version 2.24.0 and Pro version 1.17.0. Users are advised to update to these or later versions to mitigate the security risk (WPScan).