CVE-2024-24831: 
WordPress vulnerability analysis and mitigation

A Stored Cross-site Scripting (XSS) vulnerability was discovered in Leap13 Premium Addons for Elementor WordPress plugin affecting versions up to 4.10.16. The vulnerability was identified and reported on February 2, 2024, by researcher Khalid Yusuf (Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has been assigned CVE-2024-24831. It received a CVSS v3.1 base score of 5.4 (Medium) from NIST with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Patchstack assessed it with a slightly higher CVSS score of 6.5 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L (NVD).

The vulnerability could allow a malicious actor to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website, which would be executed when visitors access the site. The attack requires contributor-level privileges to exploit (Patchstack).

The vulnerability has been patched in version 4.10.17 of the Premium Addons for Elementor plugin. Users are advised to update to version 4.10.17 or later to remove the vulnerability (Patchstack).