CVE-2024-11937: 
WordPress vulnerability analysis and mitigation

The Premium Addons for Elementor WordPress plugin (versions up to 4.10.69) contains a Stored Cross-Site Scripting vulnerability identified as CVE-2024-11937. The vulnerability exists in the plugin's linkURL functionality within the Mobile Menu element, stemming from insufficient input sanitization and output escaping on user-supplied attributes (NVD).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). It has received a CVSS v3.1 base score of 6.4 (Medium) from Wordfence and 5.4 (Medium) from NIST, with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability allows for the injection of arbitrary web scripts through the plugin's linkURL parameter in the Mobile Menu element (NVD, Rapid7).

When exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to inject malicious web scripts into pages. These injected scripts will execute whenever any user accesses the compromised page, potentially leading to session hijacking, credential theft, or other client-side attacks (NVD).

Users are advised to update their Premium Addons for Elementor plugin to version 4.10.70 or later, which contains the security patch for this vulnerability. The fix has been implemented in the WordPress plugin repository (WordPress Plugin).