CVE-2024-0852 is a stored Cross-Site Scripting (XSS) vulnerability identified in the coreActivity: Activity Logging plugin for WordPress, affecting versions prior to 1.8.1. This vulnerability arises because the plugin fails to properly escape certain request data before rendering it in the WordPress admin dashboard. As a result, an unauthenticated attacker can inject malicious JavaScript payloads that are stored and later executed in the browsers of high-privilege users, such as administrators, when they view the affected dashboard pages. The vulnerability is classified under CWE-79, which pertains to improper neutralization of input during web page generation. Exploitation requires no authentication but does require that the victim user interacts with the compromised admin interface, typically by viewing the affected activity logs. The CVSS 3.1 base score is 6.1 (medium severity), with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and low impact on confidentiality and integrity, with no impact on availability. No known exploits have been reported in the wild yet. The vulnerability could allow attackers to execute arbitrary scripts in the context of the admin user, potentially leading to session hijacking, privilege escalation, or further compromise of the WordPress environment. The plugin is used to log and display activity within WordPress, and the vulnerability stems from insufficient output encoding of user-supplied data in the admin interface. No official patches or updates are linked yet, but upgrading to version 1.8.1 or later is implied to remediate the issue.

For European organizations using WordPress with the coreActivity: Activity Logging plugin, this vulnerability poses a moderate risk. Since the attack vector is unauthenticated and remote, any public-facing WordPress site with this plugin version is exposed. Successful exploitation could lead to compromise of administrator sessions, allowing attackers to manipulate site content, install backdoors, or exfiltrate sensitive data. This is particularly concerning for organizations handling personal data under GDPR, as unauthorized access or data leakage could result in regulatory penalties. The scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the initially vulnerable component, potentially impacting the entire WordPress installation. However, the requirement for user interaction (the admin must view the maliciously crafted logs) somewhat limits the immediacy of exploitation. Still, given the widespread use of WordPress in Europe for business, government, and e-commerce sites, the vulnerability could be leveraged in targeted attacks against high-value targets. The absence of known exploits in the wild suggests limited current active exploitation, but the medium severity and ease of attack warrant prompt attention.

European organizations should immediately verify if the coreActivity: Activity Logging plugin is installed and identify the version in use. If the version is prior to 1.8.1, they should upgrade to the latest version as soon as it becomes available. In the absence of an official patch, temporary mitigations include disabling the plugin or restricting access to the WordPress admin dashboard to trusted IP addresses via firewall or VPN. Additionally, implementing Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the plugin’s logging endpoints can reduce risk. Administrators should be trained to avoid clicking on suspicious log entries and to monitor logs for unusual activity. Regular backups and session management policies (such as forced logout on suspicious activity) can limit damage. Finally, applying Content Security Policy (CSP) headers to restrict the execution of inline scripts in the admin interface can mitigate the impact of XSS payloads.