CVE-2024-13699: 
WordPress vulnerability analysis and mitigation

The Qi Addons For Elementor WordPress plugin (versions up to 1.8.7) contains a Stored Cross-Site Scripting vulnerability (CVE-2024-13699) discovered in February 2024. The vulnerability exists in the 'cursor' parameter due to insufficient input sanitization and output escaping. This security issue affects all versions of the plugin up to and including version 1.8.7 (NVD).

The vulnerability is classified as a Stored Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 base score of 5.4 (Medium) according to NVD, and 6.4 (Medium) according to Wordfence. The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating that the vulnerability requires low attack complexity and limited privileges to exploit (NVD).

When exploited, this vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page, potentially leading to unauthorized data access or manipulation of user sessions (NVD).

The vulnerability was partially addressed through multiple patches in versions 1.8.5, 1.8.6, and 1.8.7. The latest fix in version 1.8.7 specifically addresses Cross Site Scripting (XSS) regex protection issues that were causing problems with widgets rendering (WordPress Changeset).