What is this vulnerability and why does it matter? This vulnerability (CVE-2024-0438) is a Stored Cross-Site Scripting (XSS) flaw found in the Happy Addons for Elementor plugin for WordPress. It exists due to insufficient input sanitization and output escaping of the 'wrapper link' parameter within the 'Age Gate' feature. This matters because it allows authenticated attackers with contributor access or higher to inject arbitrary web scripts into pages. When a user accesses an affected page, the injected script will execute in their browser, potentially leading to session hijacking, data theft, website defacement, or redirection to malicious sites.

What are the CVSS score, severity level, and disclosure details? The CVSS score for this vulnerability is 5.4. This translates to a Medium severity level. The vulnerability was published on 2024-02-20 18:56:23 and was last modified on 2026-04-08 16:42:43.

Which products, vendors, systems, and versions are affected? The affected product is the Happy Addons for Elementor plugin. It impacts WordPress systems. All versions of the Happy Addons for Elementor plugin up to, and including, 3.10.1 are vulnerable.

What is the technical root cause and attack vector? The technical root cause of this vulnerability is insufficient input sanitization and output escaping. The attack vector is specifically through the 'wrapper link' parameter within the 'Age Gate' feature of the Happy Addons for Elementor plugin.

How can this vulnerability be exploited? This vulnerability can be exploited by an authenticated attacker who has contributor access or higher privileges on the WordPress site. The attacker can inject arbitrary web scripts into the 'wrapper link' parameter of the Age Gate feature. Once injected, these scripts will be stored on the website and will execute in the browser of any user who accesses the page containing the malicious content.

What mitigation steps and patches are available? To mitigate this vulnerability, users should update the Happy Addons for Elementor plugin to a version beyond 3.10.1. It is critical to apply the latest available update provided by the vendor, as newer versions are expected to contain the necessary fixes for input sanitization and output escaping.

How can vulnerable systems be detected? Vulnerable systems can be detected by checking the installed version of the Happy Addons for Elementor plugin on a WordPress site. Any installation running version 3.10.1 or earlier is considered vulnerable to CVE-2024-0438.

What public intelligence references and advisories exist? The primary public intelligence reference for this vulnerability is CVE-2024-0438 itself. Additionally, CVE-2024-29108 is noted as a likely duplicate of this issue.

What is the risk assessment and urgency level? The risk assessment for CVE-2024-0438 is rated as Medium, based on its CVSS score of 5.4. Despite the medium severity, the urgency level for patching is high due to the nature of Stored Cross-Site Scripting vulnerabilities. These types of vulnerabilities can lead to significant impacts such as unauthorized access to user accounts, defacement of the website, information disclosure, and potentially broader compromise of the affected WordPress site and its users. The requirement for authenticated access (contributor or higher) slightly limits the attack surface but does not negate the critical need for immediate remediation, especially in environments where multiple users have publishing privileges.