The StreamWeasels Online Status Bar plugin for WordPress suffers from a stored cross-site scripting (XSS) vulnerability identified as CVE-2024-11438. This vulnerability arises from improper neutralization of input during web page generation (CWE-79), specifically in the handling of the 'sw-status-bar' shortcode attributes. The plugin fails to adequately sanitize and escape user-supplied input, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code. Because the malicious script is stored persistently, it executes in the context of any user who views the compromised page, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress site. The vulnerability affects all versions up to and including 2.1.9. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, low privileges required, no user interaction, and a scope change with partial confidentiality and integrity impacts but no availability impact. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk due to the widespread use of WordPress and the plugin's permissions model. The issue underscores the importance of proper input validation and output encoding in plugin development to prevent XSS attacks.

If exploited, this vulnerability can allow an attacker with contributor-level access to inject malicious scripts that execute in the browsers of site visitors and administrators. This can lead to theft of authentication cookies, enabling session hijacking and potential privilege escalation. Attackers might also perform unauthorized actions on behalf of other users, deface content, or distribute malware. The impact is particularly severe for sites with multiple users or administrators, as it undermines trust and can lead to broader compromise of the WordPress environment. While availability is not affected, the confidentiality and integrity of user data and site content are at risk. Organizations relying on this plugin may face reputational damage, data breaches, and compliance issues if the vulnerability is exploited.

Administrators should immediately update the StreamWeasels Online Status Bar plugin to a patched version once available. In the absence of an official patch, restrict contributor-level and higher permissions to trusted users only. Implement a Web Application Firewall (WAF) with rules to detect and block suspicious shortcode attribute inputs that contain script tags or event handlers. Conduct a thorough audit of existing content using the 'sw-status-bar' shortcode to identify and remove any malicious scripts. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Additionally, educate site administrators and contributors about the risks of injecting untrusted content and enforce the principle of least privilege for user roles. Regularly monitor logs and user activity for signs of exploitation attempts.