CVE-2024-43267: 
WordPress vulnerability analysis and mitigation

The Mega Addons For Elementor WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 1.9. The vulnerability was discovered on August 12, 2024, and was assigned CVE-2024-43267. This security issue affects the plugin developed by Qamar Sheeraz, Nasir Ahmad, and GenialSouls (Patchstack, NVD).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue, identified as CWE-79 (Improper Neutralization of Input During Web Page Generation). It received a CVSS v3.1 base score of 6.5 (MEDIUM), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The vulnerability stems from insufficient input sanitization and output escaping in the plugin (WPScan).

When exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the affected page, potentially leading to compromised data confidentiality and integrity (WPScan).

Currently, there is no official fix available for this vulnerability. The issue affects versions up to and including 1.9 of the Mega Addons For Elementor plugin (Patchstack).