CVE-2024-1341 is a stored cross-site scripting vulnerability classified under CWE-79, affecting the Advanced iFrame plugin for WordPress developed by mdempfle. The vulnerability exists in all versions up to and including 2024.1. It stems from improper input neutralization in the advanced_iframe shortcode, specifically the additional_js attribute, which allows authenticated users with contributor-level or higher permissions to include external JavaScript files. This capability enables attackers to inject arbitrary scripts that persist in the WordPress database and execute in the browsers of any user visiting the infected page. The attack vector requires authentication but no further user interaction. The vulnerability's CVSS 3.1 score is 4.9, indicating medium severity due to network attack vector, high attack complexity, low privileges required, no user interaction, and partial confidentiality and integrity impact. While no public exploits are known, the stored nature of the XSS can facilitate persistent attacks such as session hijacking, unauthorized actions on behalf of users, or distribution of malware. The scope is limited to sites using the Advanced iFrame plugin and having users with contributor or higher permissions capable of injecting malicious content. The vulnerability highlights the risks of allowing user-controlled inclusion of external scripts without proper sanitization or validation.

The primary impact of CVE-2024-1341 is the potential for attackers with contributor-level access to inject persistent malicious JavaScript into WordPress pages, which executes in the context of any user viewing those pages. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, or distribution of malware. Although the vulnerability does not affect availability, it compromises confidentiality and integrity to a limited extent. Organizations with multiple contributors or editors are at higher risk, as these roles can be leveraged to inject scripts. The exploitation complexity is high due to the need for authenticated access, but once exploited, the impact can be widespread across all site visitors. This can damage organizational reputation, lead to data breaches, and potentially facilitate further attacks within the network if administrative users are targeted. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially in targeted attacks or insider threat scenarios.

To mitigate CVE-2024-1341, organizations should immediately audit user roles and permissions to restrict contributor-level and higher access to trusted individuals only. Disable or restrict the use of the additional_js attribute in the advanced_iframe shortcode until a patch is available. Implement strict input validation and sanitization on any user-supplied content, especially for attributes that allow script inclusion. Monitor WordPress sites for unusual script injections or unauthorized changes to iframe shortcodes. Employ Web Application Firewalls (WAFs) with rules targeting stored XSS patterns in WordPress plugins. Keep the Advanced iFrame plugin updated and apply vendor patches promptly once released. Educate content contributors about the risks of injecting external scripts and enforce security policies around content management. Consider using Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Regularly scan WordPress installations with security tools to detect and remediate injected malicious code.