CVE-2024-10710 identifies a stored Cross-Site Scripting (XSS) vulnerability in the YaDisk Files WordPress plugin through version 1.2.5. The root cause is the plugin's failure to sanitize and escape certain settings inputs, which allows high privilege users, such as administrators, to inject malicious JavaScript code that is stored and later executed in the context of other users or administrators. This vulnerability is notable because it bypasses the typical WordPress security control that disables unfiltered_html capability, which normally prevents such script injections in multisite environments. The attack vector requires authenticated high privilege access and user interaction, limiting the scope of exploitation. The CVSS 3.1 base score of 3.5 reflects the low severity, considering the attack complexity is low but privileges and user interaction are required. The vulnerability impacts confidentiality and integrity by potentially allowing script execution that could steal cookies, perform actions on behalf of admins, or deface the site. No patches or exploits are currently publicly available, but the vulnerability is published and should be addressed promptly. The plugin is used in WordPress environments, which are widely deployed across Europe, especially in small to medium enterprises and public sector websites.

For European organizations, this vulnerability poses a moderate risk primarily to the confidentiality and integrity of WordPress sites using the YaDisk Files plugin. Since exploitation requires high privilege access, the threat is mainly from insider threats or compromised admin accounts. Successful exploitation could lead to session hijacking, unauthorized actions, or defacement, potentially damaging organizational reputation and trust. Public sector and commercial websites relying on WordPress with this plugin may face targeted attacks aiming to disrupt services or steal sensitive information. Given the low CVSS score and lack of known exploits, the immediate risk is limited but should not be ignored, especially in environments with multiple administrators or less stringent access controls. Organizations in Europe with strict data protection regulations (e.g., GDPR) must consider the potential for data leakage or unauthorized data manipulation.

1. Immediately update the YaDisk Files plugin to the latest version once a patch is released by the vendor. 2. Until a patch is available, restrict administrative access to trusted personnel only and enforce strong authentication mechanisms such as MFA. 3. Regularly audit user roles and permissions to minimize the number of high privilege users. 4. Implement Web Application Firewall (WAF) rules to detect and block suspicious script injection attempts targeting plugin settings. 5. Monitor WordPress logs and admin activity for unusual behavior or unexpected changes in plugin settings. 6. Educate administrators about the risks of stored XSS and safe plugin configuration practices. 7. Consider isolating critical WordPress instances or using security plugins that sanitize inputs and outputs at multiple layers. 8. Backup WordPress sites regularly to enable quick recovery in case of compromise.