CVE-2024-0662 is a stored cross-site scripting vulnerability identified in the FancyBox for WordPress plugin, specifically affecting versions 3.0.2 through 3.3.3. The root cause is insufficient sanitization and escaping of input data within the plugin's administrative settings, which allows attackers with administrator-level privileges to inject arbitrary JavaScript code into pages. This vulnerability is exploitable only in multisite WordPress installations or where the unfiltered_html capability is disabled, restricting the attack surface. Once injected, the malicious scripts execute in the context of any user who views the compromised page, potentially leading to session hijacking, privilege escalation, or data theft. The vulnerability requires authenticated access with high privileges, and no user interaction is needed for the payload to execute. The CVSS 3.1 base score is 4.4, reflecting a medium severity due to the high attack complexity and limited scope. No public exploits have been reported to date, but the vulnerability poses a risk to organizations relying on this plugin in multisite environments. The issue highlights the importance of proper input validation and output encoding in WordPress plugins to prevent cross-site scripting attacks.

The primary impact of CVE-2024-0662 is the potential compromise of user confidentiality and integrity within affected WordPress multisite environments. An attacker with administrator privileges can inject malicious scripts that execute in the browsers of users visiting the infected pages, potentially leading to session hijacking, unauthorized actions, or data leakage. Although availability is not directly affected, the breach of trust and data integrity can have significant reputational and operational consequences. The requirement for administrator-level access limits the risk to insider threats or compromised admin accounts, but once exploited, the attacker can leverage the vulnerability to escalate privileges or pivot to other attacks. Organizations with multisite WordPress deployments using the FancyBox plugin are at risk, especially if they have disabled unfiltered_html capabilities, which otherwise might mitigate such attacks. The medium CVSS score reflects the moderate risk, but the potential for persistent XSS makes it a serious concern for web security and user safety.

To mitigate CVE-2024-0662, organizations should immediately update the FancyBox for WordPress plugin to a version where this vulnerability is patched once available. Until a patch is released, administrators should restrict plugin usage to trusted personnel only and audit admin accounts to prevent unauthorized access. Enabling unfiltered_html capability where feasible can reduce the attack surface by allowing trusted users to input HTML safely. Additionally, implementing a Web Application Firewall (WAF) with rules to detect and block suspicious script injections can provide a temporary defense. Regularly scanning multisite installations for injected scripts and monitoring logs for unusual admin activity are also recommended. Developers should review and improve input sanitization and output escaping in plugin code to prevent similar issues. Finally, educating administrators about the risks of stored XSS and enforcing strong authentication and access controls will help reduce exploitation likelihood.