CVE-2024-1386 is a stored cross-site scripting (XSS) vulnerability affecting the MailerLite – Signup forms (official) WordPress plugin, specifically versions 1.5.0 through 1.7.6. The vulnerability arises from improper neutralization of user-supplied input within the plugin's shortcode attributes, where insufficient input sanitization and output escaping allow authenticated users with contributor-level or higher permissions to inject arbitrary JavaScript code. This malicious code is stored persistently and executed in the context of any user who views the affected page, leading to potential compromise of user sessions, theft of sensitive information, or unauthorized actions performed on behalf of users. The attack vector requires authenticated access but no user interaction beyond visiting the infected page. The vulnerability impacts confidentiality and integrity but not availability, with a CVSS v3.1 score of 6.4, reflecting medium severity. No patches or known exploits are currently public, but the vulnerability is publicly disclosed and documented by Wordfence and the CVE database. This issue is classified under CWE-79, indicating a classic cross-site scripting flaw due to improper input handling during web page generation.

The primary impact of this vulnerability is the potential compromise of user accounts and sensitive data through session hijacking or theft of authentication tokens when malicious scripts execute in users' browsers. Attackers with contributor-level access can escalate their influence by injecting persistent scripts that affect administrators or other users with higher privileges. This can lead to unauthorized actions such as content manipulation, privilege escalation, or distribution of malware. For organizations, this undermines trust in their web presence, risks data breaches, and may lead to regulatory or compliance issues, especially for sites handling personal or financial information. Since the vulnerability requires authenticated access, the risk is somewhat mitigated but remains significant in environments with multiple contributors or less stringent access controls. The scope includes all WordPress sites using the vulnerable MailerLite plugin versions, which are common in digital marketing and email subscription management, thus affecting a broad range of industries worldwide.

Organizations should immediately verify the version of the MailerLite – Signup forms plugin installed on their WordPress sites and upgrade to a patched version once available. In the absence of an official patch, administrators should restrict contributor-level permissions to trusted users only and audit existing shortcode content for suspicious scripts. Implementing a Web Application Firewall (WAF) with rules to detect and block XSS payloads targeting shortcode attributes can provide interim protection. Additionally, applying Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Regular security audits and monitoring of user-generated content for anomalies are recommended. Finally, educating contributors about secure content practices and limiting plugin usage to essential, well-maintained components reduces the attack surface.