CVE-2024-8962: 
WordPress vulnerability analysis and mitigation

The WPBITS Addons For Elementor Page Builder plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability (CVE-2024-8962) that affects all versions up to and including 1.5.2. The vulnerability was discovered and disclosed in December 2024 (NVD).

The vulnerability stems from insufficient input sanitization and output escaping in the plugin's SVG file upload functionality. This security flaw allows authenticated users with Author-level privileges or higher to inject arbitrary web scripts through SVG file uploads. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

When exploited, the vulnerability allows attackers to inject malicious scripts that execute whenever a user accesses the compromised SVG file. This can lead to potential client-side attacks and unauthorized actions performed in the context of the victim's browser session (NVD).

Users are advised to update to a version newer than 1.5.2 of the WPBITS Addons For Elementor Page Builder plugin. The vulnerability has been patched in subsequent releases (WordPress Plugin).