CVE-2024-10325: 
WordPress vulnerability analysis and mitigation

The Elementor Header & Footer Builder plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability (CVE-2024-10325) discovered in versions up to and including 1.6.45. The vulnerability was identified on November 7, 2024, and allows authenticated attackers with Author-level access or higher to inject malicious web scripts through REST API SVG File uploads (NVD).

The vulnerability stems from insufficient input sanitization and output escaping in the plugin's handling of SVG file uploads through the REST API. The CVSS v3.1 base score is 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating a network-accessible vulnerability requiring low attack complexity and user interaction (NVD).

When exploited, this vulnerability allows attackers to inject arbitrary web scripts that execute whenever a user accesses the affected SVG file. This can lead to potential client-side attacks and compromise of user sessions (NVD).

The vulnerability has been patched in version 1.6.46 of the plugin. Users are strongly advised to update to this version or later to protect against potential attacks (WordPress Plugin).