CVE-2024-4862: 
WordPress vulnerability analysis and mitigation

CVE-2024-4862 affects the WPBITS Addons For Elementor Page Builder WordPress plugin, involving a Stored Cross-Site Scripting vulnerability in versions up to and including 1.5. The vulnerability was discovered by researcher stealthcopter and was publicly disclosed on July 8, 2024 (WPScan).

The vulnerability exists due to insufficient input sanitization and output escaping on user-supplied attributes across several widgets in the plugin. The issue has been assigned a CVSS score of 6.4 (Medium) and is classified under CWE-79: Cross-Site Scripting (XSS). The vulnerability affects multiple widgets including accordion, business hours, logo grid, price table, and tabs components (WPScan).

This vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. When users access an affected page, the injected scripts will execute in their browsers, potentially leading to unauthorized actions or data theft (Wordfence).

The vulnerability has been fixed in version 1.5.1 of the WPBITS Addons For Elementor Page Builder plugin. Site administrators should update to this version or later to protect against this security issue (WPScan).