CVE-2024-2254: 
WordPress vulnerability analysis and mitigation

The RT Easy Builder – Advanced addons for Elementor plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-2254) affecting all versions up to and including 2.2. The vulnerability was discovered and reported by Francesco Carlucci, with public disclosure on August 23, 2024 (Wordfence).

The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes in the plugin's widgets. The issue has been assigned a CVSS v3.1 base score of 5.4 (Medium) by NIST with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Wordfence assessed it at 6.4 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

The vulnerability allows authenticated attackers with contributor-level permissions or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page, potentially leading to compromised user sessions and unauthorized actions (NVD).