CVE-2024-6627: 
WordPress vulnerability analysis and mitigation

The Happy Addons for Elementor WordPress plugin contains a Stored Cross-Site Scripting vulnerability (CVE-2024-6627) discovered in July 2024. The vulnerability affects all versions up to and including 3.11.2, specifically in the plugin's PDF View widget. The issue stems from insufficient input sanitization and output escaping on user-supplied attributes (NVD).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) with a CVSS v3.1 base score of 5.4 (Medium) according to NIST, and 6.4 (Medium) according to Wordfence. The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility, low attack complexity, required privileges, user interaction, and potential for confidentiality and integrity impacts (NVD).

When exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page (NVD).

Users are advised to update to a version newer than 3.11.2 of the Happy Addons for Elementor plugin to address this vulnerability (WordPress Plugin).