CVE-2024-10362 is a medium-severity stored Cross-Site Scripting (XSS) vulnerability affecting the WordPress plugin 'Social Media Share Buttons & Social Sharing Icons' in versions prior to 2.9.1. The vulnerability arises because the plugin fails to properly sanitize and escape certain settings, allowing high-privilege users, such as administrators, to inject malicious scripts that are stored persistently. Notably, this exploit can be performed even when the WordPress capability 'unfiltered_html' is disabled, which is often the case in multisite environments, thus bypassing a common security control. The attack vector requires network access (remote), low attack complexity, and high privileges, with user interaction required to trigger the malicious payload. The vulnerability impacts confidentiality and integrity by enabling script injection that could lead to session hijacking, privilege escalation, or defacement, but does not affect availability. No known exploits are currently reported in the wild. The vulnerability is classified under CWE-79, which covers improper neutralization of input leading to XSS. The CVSS v3.1 base score is 4.8, reflecting a medium severity level due to the requirement of high privileges and user interaction, but with a low attack complexity and potential for impact on confidentiality and integrity. The vulnerability affects all versions before 2.9.1 of the plugin, which is commonly used to add social media sharing functionality to WordPress sites.

For European organizations, this vulnerability poses a moderate risk primarily to websites running WordPress with the affected plugin installed. Since the exploit requires administrative privileges, the threat is mainly from insider threats or attackers who have already compromised an admin account. Successful exploitation could allow attackers to inject malicious scripts that steal session tokens, manipulate site content, or redirect users to malicious sites, potentially leading to data breaches or reputational damage. Organizations in sectors with strict data protection regulations like GDPR could face compliance issues if personal data is exposed through such attacks. Additionally, multisite WordPress installations, common in large enterprises and educational institutions across Europe, are particularly vulnerable since the vulnerability bypasses the 'unfiltered_html' restriction. The impact on availability is minimal, but the confidentiality and integrity of web content and user data could be compromised, affecting trust and operational security.

To mitigate this vulnerability, European organizations should immediately update the 'Social Media Share Buttons & Social Sharing Icons' plugin to version 2.9.1 or later where the issue is fixed. If immediate patching is not possible, restrict administrative access to trusted personnel only and monitor admin activities for suspicious behavior. Implement Web Application Firewalls (WAFs) with custom rules to detect and block suspicious input patterns related to XSS payloads in plugin settings. Regularly audit and sanitize all user-generated content and plugin settings, especially in multisite environments. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected sites. Additionally, review and harden WordPress user roles and capabilities to minimize the number of users with high privileges. Conduct security awareness training for administrators to recognize and prevent injection of malicious content.