CVE-2024-0977: 
WordPress vulnerability analysis and mitigation

The Timeline Widget For Elementor (Elementor Timeline, Vertical & Horizontal Timeline) plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-0977) affecting all versions up to and including 1.5.3. The vulnerability was discovered and disclosed in February 2024 (NVD).

The vulnerability exists due to insufficient input sanitization and output escaping on user-supplied attributes in the plugin's timeline widget. The CVSS v3.1 base score is 5.4 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N as assessed by NIST, while Wordfence rated it at 4.4 (Medium) with vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows authenticated attackers with contributor-level permissions or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an injected page, changes the slideshow type, and then changes it back to an image (NVD).

A patch has been released to address this vulnerability. Users should update to version 1.5.4 or later of the Timeline Widget For Elementor plugin (WordPress Patch).