CVE-2024-11367: 
WordPress vulnerability analysis and mitigation

The Smoove connector for Elementor forms plugin for WordPress contains a Reflected Cross-Site Scripting vulnerability (CVE-2024-11367) that affects all versions up to and including 4.1.0. The vulnerability was discovered by researcher vgo0 and was publicly disclosed on December 6, 2024 (Wordfence Blog, NVD).

The vulnerability stems from improper use of the add_query_arg function without appropriate URL escaping in the plugin's code. This has been classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability has received a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

If successfully exploited, this vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when users perform specific actions, such as clicking on a malicious link. The impact is considered moderate, with potential for both information disclosure and limited integrity compromise (NVD).

Users should update their Smoove connector for Elementor forms plugin to a version newer than 4.1.0 when available. The vulnerability has been reported as patched according to security researchers (Wordfence Blog).