CVE-2024-1498: 
WordPress vulnerability analysis and mitigation

The Happy Addons for Elementor plugin for WordPress (versions up to and including 3.10.3) contains a Stored Cross-Site Scripting vulnerability (CVE-2024-1498) in its Photo Stack Widget component. The vulnerability was discovered and reported by Wordfence, with the initial disclosure made on April 9, 2024 (NVD).

The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes in the Photo Stack Widget component. The issue has been assigned a CVSS v3.1 base score of 5.4 (Medium) by NIST with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Wordfence assessed it at 6.4 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

When exploited, this vulnerability allows authenticated attackers with contributor-level permissions or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to data theft or manipulation of user sessions (NVD).

Users should update their Happy Addons for Elementor plugin to a version newer than 3.10.3 to address this vulnerability. A patch has been made available through the WordPress plugin repository (WordPress Patch).