CVE-2024-12851: 
WordPress vulnerability analysis and mitigation

CVE-2024-12851 affects the Element Pack Elementor Addons plugin for WordPress, discovered and disclosed on January 8, 2025. The vulnerability is present in all versions up to and including 5.10.14. This security issue affects the Cookie Consent Widget component of the plugin, which is commonly used for header, footer, template library, dynamic grid, carousel, and remote arrows functionality (NVD).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue (CWE-79) that occurs due to insufficient input sanitization and output escaping in the custom_attributes parameter of the Cookie Consent Widget. The CVSS v3.1 base score is 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating a network-accessible vulnerability requiring low attack complexity and user interaction (NVD).

When successfully exploited, this vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever any user accesses the compromised page, potentially leading to unauthorized data access, session hijacking, or other client-side attacks (NVD).

Users should update their Element Pack Elementor Addons plugin to a version newer than 5.10.14 to address this vulnerability. A patch has been released and is available through the WordPress plugin repository (WordPress Patch).