CVE-2024-37922: 
WordPress vulnerability analysis and mitigation

CVE-2024-37922 is a Stored Cross-Site Scripting (XSS) vulnerability affecting Leap13 Premium Addons for Elementor WordPress plugin versions through 4.10.34. The vulnerability was discovered and reported on July 20, 2024, and it allows authenticated users with contributor-level access or higher to perform stored XSS attacks (NVD, Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) with a CVSS v3.1 base score of 5.4 (Medium) according to NVD, and 6.5 (Medium) according to Patchstack. The attack vector is network-based (AV:N), requires low attack complexity (AC:L), needs low privileges (PR:L), and requires user interaction (UI:R) with a changed scope (S:C) (NVD).

If exploited, this vulnerability allows authenticated attackers with contributor-level access or above to inject malicious scripts into the website. These scripts, which could include redirects, advertisements, and other HTML payloads, will be executed when visitors access the affected pages (Patchstack).

The vulnerability has been patched in version 4.10.35 of the Premium Addons for Elementor plugin. Users are advised to update to this version or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins (Patchstack).