CVE-2024-9888: 
WordPress vulnerability analysis and mitigation

The ElementInvader Addons for Elementor plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-9888) in the plugin's contact form widget redirect URL feature. This vulnerability affects all versions up to and including 1.2.8 (NVD).

The vulnerability exists due to insufficient input sanitization and output escaping on user-supplied attributes in the contact form widget redirect URL. This security flaw has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility with low attack complexity (NVD).

The vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page, potentially leading to theft of sensitive information or manipulation of page content (NVD).

A patch has been released to address this vulnerability. Users should update to a version newer than 1.2.8. The fix can be found in the plugin's repository (WordPress Plugin).