CVE-2024-0824: 
WordPress vulnerability analysis and mitigation

The Exclusive Addons for Elementor WordPress plugin is affected by a Stored Cross-Site Scripting vulnerability (CVE-2024-0824) in versions up to and including 2.6.8. The vulnerability exists in the Link Anything functionality due to insufficient input sanitization and output escaping (NVD).

The vulnerability stems from improper input sanitization and output escaping in the Link Anything functionality. The CVSS v3.1 base score is 5.4 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N according to NVD's assessment, while Wordfence rates it at 6.4 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

When exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page (NVD).

A patch has been released to address this vulnerability. Users should update their Exclusive Addons for Elementor plugin to a version newer than 2.6.8 (Wordfence).