CVE-2024-12120: 
WordPress vulnerability analysis and mitigation

The Royal Elementor Addons and Templates plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability (CVE-2024-12120) affecting versions up to and including 1.7.1017. The vulnerability exists in the Countdown widget's displaymessagetext parameter due to insufficient input sanitization and output escaping. This security issue was discovered and reported by researcher zer0gh0st (NVD, Wiz).

The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting). It has received a CVSS v3.1 Base Score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N. The issue stems from inadequate sanitization of the displaymessagetext parameter in the Countdown widget, which allows for the injection of arbitrary web scripts (NVD).

When successfully exploited, this vulnerability allows authenticated attackers with Contributor-level access or higher to inject malicious scripts that execute in the context of other users' browsers when they visit the compromised pages. This can lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the victim's browser session (Wiz).

The vulnerability has been patched in version 1.7.1018 of the Royal Elementor Addons and Templates plugin. The fix includes improved input sanitization and output escaping mechanisms through the implementation of a sanitizeHTMLContent function to prevent XSS attacks (WordPress Plugin).