CVE-2024-3891: 
WordPress vulnerability analysis and mitigation

The Happy Addons for Elementor WordPress plugin (versions up to 3.10.5) contains a Stored Cross-Site Scripting vulnerability (CVE-2024-3891) discovered in May 2024. The vulnerability exists due to insufficient input sanitization and output escaping on user-supplied attributes in HTML tags within widgets (NVD).

The vulnerability is classified as a Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 base score of 5.4 (Medium) according to NIST, and 6.4 (Medium) according to Wordfence. The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring low privileges (PR:L). The vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts that execute when users access the affected pages (NVD, Wordfence).

When exploited, this vulnerability allows attackers to inject malicious web scripts into pages that execute in users' browsers when they access the compromised content. This can lead to potential theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected users' sessions (NVD).

A patch has been released to address this vulnerability. Users should update their Happy Addons for Elementor plugin to a version newer than 3.10.5 to mitigate this security risk (WordPress).