CVE-2024-10632 is a medium-severity vulnerability classified as CWE-79 (Cross-Site Scripting, XSS) affecting the Nokaut Offers Box WordPress plugin up to version 1.4.0. The vulnerability arises because the plugin fails to properly sanitize and escape certain settings inputs. This flaw allows users with high privileges, such as administrators, to inject and store malicious scripts within the plugin's settings. Notably, this exploit can be performed even when the WordPress unfiltered_html capability is disabled, such as in multisite environments, which normally restricts the ability to post unfiltered HTML. The vulnerability requires high privileges (admin-level access) and some user interaction to trigger the stored XSS payload, which can lead to a scope change affecting the entire WordPress site. The CVSS 3.1 base score is 4.8, reflecting a medium severity level with low attack complexity and network attack vector. The impact includes potential confidentiality and integrity loss, such as session hijacking, privilege escalation, or defacement, but no direct availability impact is noted. No known public exploits are reported yet, and no patches or fixes have been linked at the time of publication. The vulnerability was reserved in late 2024 and published in mid-2025, indicating recent discovery and disclosure.

For European organizations using WordPress sites with the Nokaut Offers Box plugin, this vulnerability poses a risk primarily when an attacker or insider has administrative access. Exploitation could lead to stored XSS attacks that compromise administrator sessions or inject malicious scripts affecting site visitors or other admins. This could result in data leakage, unauthorized actions, or defacement, undermining trust and compliance with data protection regulations such as GDPR. Multisite WordPress setups, common in larger organizations and agencies, are particularly at risk since the vulnerability bypasses unfiltered_html restrictions. While the vulnerability does not directly impact availability, the reputational damage and potential data breaches could have significant operational and legal consequences. The medium severity suggests a moderate but non-trivial risk that should be addressed promptly to prevent escalation or chaining with other vulnerabilities.

Organizations should immediately audit their WordPress installations to identify the presence of the Nokaut Offers Box plugin. If found, restrict administrative access to trusted personnel only and monitor for suspicious activity. Since no official patch is currently available, consider temporarily disabling or uninstalling the plugin until a fix is released. Implement Content Security Policy (CSP) headers to mitigate the impact of XSS by restricting script execution sources. Regularly update WordPress core and plugins to minimize exposure to known vulnerabilities. For multisite environments, review and tighten capability assignments and consider additional input validation or sanitization plugins as a stopgap. Conduct thorough security testing on administrative interfaces to detect any stored XSS or similar injection flaws. Finally, maintain robust incident response plans to quickly address any exploitation attempts.