CVE-2024-0664 is a stored cross-site scripting (XSS) vulnerability identified in the Meks Smart Social Widget plugin for WordPress, affecting all versions up to and including 1.6.3. The root cause is insufficient input sanitization and output escaping during web page generation, which allows authenticated users with administrator privileges on multi-site WordPress installations to inject arbitrary JavaScript code into pages. This vulnerability specifically impacts multi-site setups where the WordPress configuration disables the unfiltered_html capability, which otherwise allows administrators to post unfiltered HTML content. Because the injected scripts are stored persistently, they execute whenever any user accesses the infected page, potentially enabling session hijacking, privilege escalation, or defacement attacks. The vulnerability requires administrator-level privileges to exploit, limiting its exposure to trusted users or attackers who have already compromised admin accounts. The CVSS 3.1 base score is 4.4, reflecting a medium severity rating due to the need for high privileges (PR:H), network attack vector (AV:N), and no user interaction (UI:N). The scope is changed (S:C), indicating that the vulnerability can affect resources beyond the initially vulnerable component. No public exploits have been reported yet, but the vulnerability poses a risk in environments where multi-site WordPress installations use this plugin. The lack of available patches at the time of publication necessitates immediate attention from administrators to mitigate risks.

The primary impact of CVE-2024-0664 is the potential for persistent cross-site scripting attacks on WordPress sites using the Meks Smart Social Widget plugin in multi-site configurations. Successful exploitation can lead to the execution of arbitrary JavaScript in the context of the affected website, enabling attackers to hijack user sessions, steal cookies, perform actions on behalf of users, or deface website content. Although exploitation requires administrator-level access, this vulnerability can be leveraged by attackers who have already gained elevated privileges or by malicious insiders. The compromise of user trust and potential data leakage can damage organizational reputation and lead to further attacks. Since multi-site WordPress installations are often used by enterprises, educational institutions, and media companies, the scope of impact can be significant. The vulnerability does not directly affect availability but can indirectly cause service disruptions through defacement or administrative account compromise. The medium CVSS score reflects moderate risk, but the potential for chained attacks elevates the threat in targeted environments.

To mitigate CVE-2024-0664, organizations should first verify if they operate multi-site WordPress installations with the Meks Smart Social Widget plugin version 1.6.3 or earlier. Immediate steps include: 1) Restrict administrator access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA). 2) Temporarily disable or remove the Meks Smart Social Widget plugin until a security patch or update is released by the vendor. 3) Review and sanitize all user-generated content and widget inputs manually to detect and remove any injected scripts. 4) Enable security plugins that provide web application firewall (WAF) capabilities to detect and block suspicious script injections. 5) Monitor logs and user activity for signs of unauthorized script injections or unusual administrator behavior. 6) Educate administrators on the risks of XSS and the importance of secure content management practices. 7) Once available, promptly apply vendor patches or updates addressing this vulnerability. 8) Consider implementing Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. These measures combined will reduce the risk of exploitation and limit the impact if an attack occurs.