CVE-2024-49234: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was identified in the themeworm Plexx Elementor Extension WordPress plugin, tracked as CVE-2024-49234. The vulnerability affects versions up to 1.3.4 and was discovered by security researcher Khalid Yusuf on October 14, 2024 (WPScan, Patchstack).

The vulnerability stems from insufficient input sanitization and output escaping in the Plexx Elementor Extension plugin. It has been assigned a CVSS v3.1 base score of 5.4 (Medium) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Patchstack assigned a score of 6.5 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

The vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to data theft, session hijacking, or other malicious actions (WPScan).

The vulnerability has been patched in version 1.3.7 of the Plexx Elementor Extension plugin. Website administrators are advised to update to this version or later to remediate the security issue (Patchstack).