CVE-2024-9068: 
WordPress vulnerability analysis and mitigation

The OneElements – Best Elementor Addons plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-9068) that affects all versions up to and including 1.3.7. The vulnerability was discovered and reported by Francesco Carlucci, with public disclosure on September 24, 2024 (NVD, Wordfence).

The vulnerability stems from insufficient input sanitization and output escaping in the SVG file upload functionality. The issue has been assigned a CVSS v3.1 base score of 5.4 (Medium) by NVD and 6.4 (Medium) by Wordfence, with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

This vulnerability allows authenticated attackers with Author-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the affected SVG file, potentially compromising the security of site visitors (NVD).

The plugin has been closed as of September 23, 2024, due to security issues and is no longer available for download from the WordPress plugin repository (WordPress). Users are advised to remove this plugin from their WordPress installations and seek alternative solutions.