CVE-2024-13445: 
WordPress vulnerability analysis and mitigation

The Elementor Website Builder plugin for WordPress (versions up to and including 3.27.4) was identified with a Stored Cross-Site Scripting vulnerability (CVE-2024-13445). The vulnerability was discovered and reported by Wordfence, with the initial disclosure made on February 20, 2025. The issue affects the border, margin, and gap parameters in the plugin due to insufficient input sanitization and output escaping (NVD).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 base score of 5.4 (Medium) from NIST and 6.4 (Medium) from Wordfence. The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring low privileges (PR:L) and user interaction (UI:R) in the NIST assessment. The scope is changed (S:C) with low confidentiality and integrity impact (C:L, I:L) and no availability impact (A:N) (NVD).

The vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to unauthorized data access or manipulation of user interactions (NVD).

A patch has been released to address this vulnerability. Users are advised to update their Elementor Website Builder plugin to version 3.27.5 or later which contains the security fix (WordPress Patch).