CVE-2024-10475 is a medium-severity Stored Cross-Site Scripting (XSS) vulnerability identified in the Responsive Contact Form Builder & Lead Generation Plugin for WordPress, affecting versions prior to 1.9.8. The vulnerability arises because the plugin fails to properly sanitize and escape certain settings, allowing high-privilege users, such as administrators, to inject malicious scripts that are stored persistently. Notably, this exploit can be executed even when the WordPress unfiltered_html capability is disabled, such as in multisite environments, which typically restricts the ability to post unfiltered HTML. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS 3.1 base score is 4.8, reflecting a medium severity level, with an attack vector of network (remote exploitation), low attack complexity, requiring high privileges, and user interaction. The scope is changed, meaning the vulnerability affects components beyond the initially vulnerable plugin, and the impact affects confidentiality and integrity but not availability. There are no known exploits in the wild at present, and no official patches or updates have been linked yet. This vulnerability could allow an attacker with administrative access to inject malicious JavaScript that executes in the context of other users' browsers, potentially leading to session hijacking, privilege escalation, or data theft within the WordPress environment.

For European organizations using WordPress sites with the Responsive Contact Form Builder & Lead Generation Plugin, this vulnerability poses a risk primarily when an attacker or insider has administrative access. The stored XSS could be leveraged to compromise site administrators or other privileged users, leading to unauthorized access to sensitive data, manipulation of site content, or further compromise of the web application. Given the widespread use of WordPress across Europe for business, governmental, and non-profit websites, exploitation could result in reputational damage, data breaches involving personal data protected under GDPR, and potential regulatory penalties. Multisite WordPress installations common in large organizations or hosting providers are particularly at risk due to the bypass of unfiltered_html restrictions. While the vulnerability does not directly impact availability, the confidentiality and integrity risks are significant, especially in sectors handling sensitive information such as finance, healthcare, and public administration.

European organizations should immediately audit their WordPress installations to identify the presence of the Responsive Contact Form Builder & Lead Generation Plugin and verify its version. Until an official patch is released, administrators should consider disabling or removing the plugin if it is not essential. For installations where the plugin is critical, restrict administrative access rigorously, enforce strong authentication mechanisms such as multi-factor authentication (MFA), and monitor administrative actions closely. Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Regularly review and sanitize all user-generated content and plugin settings manually if possible. Additionally, organizations should maintain up-to-date backups and consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting this plugin. Monitoring logs for unusual administrative activity and user interactions can help detect attempted exploitation early.