CVE-2024-10323: 
WordPress vulnerability analysis and mitigation

The JetWidgets For Elementor WordPress plugin (versions up to 1.0.18) contains a Stored Cross-Site Scripting vulnerability (CVE-2024-10323) discovered in November 2024. The vulnerability exists in the REST API SVG File upload functionality and affects installations where users have Author-level access or higher (NVD).

The vulnerability stems from insufficient input sanitization and output escaping in the SVG file upload functionality via the REST API. The CVSS v3.1 base score is 5.4 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N according to NVD, while Wordfence assessed it at 6.4 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

When exploited, this vulnerability allows authenticated attackers with Author-level privileges or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised SVG file (NVD).

The vulnerability has been patched in version 1.0.19 of the JetWidgets For Elementor plugin. Users are advised to update to this latest version to protect against potential exploitation (WordPress Plugin).