CVE-2024-2249

Name of the Vulnerable Software and Affected Versions LA-Studio Element Kit for Elementor plugin for WordPress versions up to, and including, 1.3.7.4

Description The issue is related to Stored Cross-Site Scripting via the LinkWrapper attribute found in several widgets. This is due to insufficient input sanitization and output escaping of the user-supplied attribute, making it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages. These scripts will execute whenever a user accesses an injected page.

Recommendations For versions up to, and including, 1.3.7.4, update to a version later than 1.3.7.4 to resolve the issue. As a temporary workaround, consider restricting access to the LinkWrapper attribute in the affected widgets to minimize the risk of exploitation.