CVE-2024-54315: 
WordPress vulnerability analysis and mitigation

The Events Addon for Elementor plugin for WordPress contains a Cross-Site Scripting (XSS) vulnerability affecting versions up to and including 2.2.2. The vulnerability was discovered and reported by João Pedro S Alcântara on November 15, 2024, and was publicly disclosed on December 11, 2024. This security issue affects the NicheAddons Events Addon for Elementor plugin and allows DOM-Based XSS attacks (Patchstack).

The vulnerability has been assigned CVE-2024-54315 and received a CVSS v3.1 score of 6.5 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The issue is classified as an Improper Neutralization of Input During Web Page Generation vulnerability (CWE-79), specifically allowing DOM-Based Cross-Site Scripting attacks (NVD).

This vulnerability could allow malicious actors to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into the website which will be executed when guests visit the site. The attack requires user interaction and authenticated access with Contributor-level privileges or higher (Patchstack).

The vulnerability has been patched in version 2.2.3 of the Events Addon for Elementor plugin. Users are advised to update to version 2.2.3 or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins (Patchstack).