CVE-2024-5086: 
WordPress vulnerability analysis and mitigation

The Essential Addons for Elementor PRO plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-5086) in its Team Member Carousel widget. The vulnerability affects all Pro versions up to and including 5.8.14, discovered and disclosed on May 29, 2024. The issue stems from insufficient input sanitization and output escaping on user-supplied attributes (NVD).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue with a CVSS v3.1 Base Score of 6.4 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability exists in the Team Member Carousel widget component where user-supplied attributes are not properly sanitized and escaped before being stored and displayed (Wordfence).

When exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page (NVD).

The vulnerability has been patched in versions after 5.8.14. Users are advised to update their Essential Addons for Elementor PRO plugin to the latest version available (Essential Addons Changelog).