CVE-2024-6169: 
WordPress vulnerability analysis and mitigation

The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) WordPress plugin contains a Stored Cross-Site Scripting vulnerability (CVE-2024-6169) affecting versions up to and including 1.5.112. The vulnerability was discovered on July 8, 2024 and publicly disclosed on July 9, 2024 (NVD).

The vulnerability exists due to insufficient input sanitization and output escaping of the 'username' parameter. The issue has a CVSS v3.1 base score of 5.4 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N according to NVD, while Wordfence rates it at 6.4 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows authenticated attackers with Contributor-level access and above (who have been granted plugin setting edit permissions by an administrator) to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page (NVD).

Users should update to version 1.5.113 or later which contains patches for this vulnerability. The fix can be found in the WordPress plugin repository (WordPress Patch).