The vulnerability CVE-2024-0898 is a stored cross-site scripting (CWE-79) flaw in the bluecoral WordPress plugin 'Chat Bubble – Floating Chat with Contact Chat Icons, Messages, Telegram, Email, SMS, Call me back'. It exists due to improper neutralization of input during web page generation, specifically in the plugin's admin settings. Authenticated administrators can inject malicious scripts that persist and execute when other users view the injected content. This affects multi-site WordPress environments and installations with disabled 'unfiltered_html'. The CVSS 3.1 vector indicates network attack vector, high attack complexity, high privileges required, no user interaction, scope changed, with low confidentiality and integrity impact and no availability impact.

An attacker with administrator-level privileges can inject persistent malicious scripts into the plugin's settings, which execute in the context of users viewing the affected pages. This can lead to limited confidentiality and integrity impacts such as session hijacking or unauthorized actions performed on behalf of users. The vulnerability does not affect availability. The impact is constrained by the requirement for high privileges and the specific installation conditions (multi-site or disabled 'unfiltered_html'). No known active exploitation has been reported.

No official patch or fix has been disclosed at this time. Users should monitor the vendor's advisory channels for updates and apply any forthcoming patches promptly. Since exploitation requires administrator privileges, limiting administrative access and reviewing user permissions can reduce risk. Additionally, verifying the 'unfiltered_html' setting and multi-site configuration may help identify vulnerable environments. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.