CVE-2024-0823: 
WordPress vulnerability analysis and mitigation

The Exclusive Addons for Elementor WordPress plugin (versions up to 2.6.8) contains a Stored Cross-Site Scripting vulnerability identified as CVE-2024-0823. The vulnerability was discovered in January 2024 and publicly disclosed on February 5, 2024. The issue affects the 'Link To' URL functionality in carousels due to insufficient input sanitization and output escaping on user-supplied attributes (NVD).

The vulnerability is classified as a Stored Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 base score of 5.4 (Medium). The attack vector is network-accessible (AV:N), requires low attack complexity (AC:L), needs low privileges (PR:L), requires user interaction (UI:R), and has a changed scope (S:C) with low confidentiality and integrity impacts (C:L, I:L) and no availability impact (A:N) (Wordfence).

When exploited, this vulnerability allows authenticated attackers with contributor-level permissions or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page (NVD).

A patch has been released to address this vulnerability. Website administrators should update the Exclusive Addons for Elementor plugin to a version newer than 2.6.8 (WordPress Patch).