CVE-2024-0625 is a stored cross-site scripting vulnerability identified in the WPFront Notification Bar plugin for WordPress, present in all versions up to and including 3.3.2. The vulnerability stems from insufficient sanitization and escaping of user input in the 'wpfront-notification-bar-options[custom_class]' parameter. This flaw allows authenticated users with administrator privileges to inject arbitrary JavaScript code into pages generated by the plugin. The injected scripts execute whenever any user accesses the affected pages, potentially enabling session hijacking, privilege escalation, or other malicious activities within the WordPress environment. The vulnerability specifically affects multi-site WordPress installations or those where the 'unfiltered_html' capability is disabled, limiting the scope to environments with stricter content filtering. Exploitation requires administrator-level credentials, making it less accessible to external attackers without prior compromise. The CVSS 3.1 base score is 4.4, reflecting a medium severity due to the requirement for high privileges and attack complexity. No public exploits or widespread attacks have been reported to date. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation leading to cross-site scripting. Mitigation involves applying patches once available or implementing strict input validation and output encoding in the plugin's codebase. Organizations should audit their WordPress installations for this plugin and version, especially in multi-site contexts, to assess exposure and remediate accordingly.

The primary impact of CVE-2024-0625 is the potential execution of arbitrary JavaScript code within the context of affected WordPress sites, which can compromise user confidentiality and integrity. Although the vulnerability requires administrator-level access to exploit, an attacker who gains such privileges can leverage this flaw to perform persistent XSS attacks, potentially leading to session hijacking, defacement, or further privilege escalation. This can undermine trust in the affected websites and lead to data leakage or unauthorized actions performed on behalf of legitimate users. The vulnerability does not affect availability directly. Since it impacts multi-site installations and those with unfiltered_html disabled, organizations running complex WordPress environments are at higher risk. The medium CVSS score reflects the balance between the high privilege requirement and the potential for persistent script injection. If exploited, the vulnerability could facilitate lateral movement within an organization’s web infrastructure or enable targeted attacks against site administrators and users.

To mitigate CVE-2024-0625, organizations should first verify if they use the WPFront Notification Bar plugin, particularly versions up to 3.3.2, and assess whether their WordPress installation is multi-site or has unfiltered_html disabled. Immediate mitigation includes restricting administrator access to trusted personnel only, as exploitation requires admin privileges. Administrators should monitor for unusual activity or unauthorized script injections within the notification bar content. Since no official patch links are currently available, organizations can implement manual input sanitization and output escaping for the 'custom_class' parameter in the plugin code as a temporary fix. Employing a Web Application Firewall (WAF) with rules to detect and block XSS payloads targeting this parameter can reduce risk. Regularly updating WordPress core, plugins, and themes is essential once a patch is released. Additionally, conducting security audits and penetration testing focused on multi-site configurations can help identify and remediate similar vulnerabilities. Finally, educating administrators about the risks of injecting untrusted content into plugin parameters is critical to prevent exploitation.