CVE-2023-5381: 
WordPress vulnerability analysis and mitigation

The Elementor Addon Elements plugin for WordPress (CVE-2023-5381) contains a Stored Cross-Site Scripting vulnerability affecting versions up to and including 1.12.7. The vulnerability was discovered by Paolo Tresso and publicly disclosed on November 15, 2023 (Wordfence Advisory).

The vulnerability stems from insufficient input sanitization and output escaping in the admin settings. It has been assigned a CVSS v3.1 base score of 4.8 (Medium) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, while Wordfence assessed it at 4.4 (Medium) with a vector string of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

The vulnerability allows authenticated attackers with administrator-level permissions to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an injected page. The scope is limited to multi-site installations and installations where unfiltered_html has been disabled (NVD).

A patch has been released to address this vulnerability, as evidenced by the WordPress plugin repository changes (WordPress Patch). Users are advised to update to a version newer than 1.12.7.