CVE-2024-1582 is a stored cross-site scripting (XSS) vulnerability identified in the WP Go Maps plugin for WordPress, formerly known as WP Google Maps. This vulnerability arises from improper neutralization of user-supplied input in the 'wpgmza' shortcode, which is used to embed maps on WordPress pages. Specifically, the plugin fails to adequately sanitize and escape attributes provided by authenticated users with contributor-level or higher permissions. As a result, these users can inject arbitrary JavaScript code that is stored persistently in the website's content. When any user, including administrators or visitors, accesses a page containing the injected shortcode, the malicious script executes within their browser context. This can lead to a range of attacks such as session hijacking, privilege escalation, defacement, or distribution of malware. The vulnerability affects all versions of the plugin up to and including 9.0.32. The CVSS v3.1 base score is 6.4, reflecting a medium severity level, with an attack vector of network, low attack complexity, requiring privileges (contributor or higher), no user interaction, and a scope change due to the impact crossing privilege boundaries. Although no active exploits have been reported, the vulnerability poses a significant risk given the widespread use of WordPress and the plugin's popularity. The root cause is the lack of proper input validation and output encoding in the shortcode processing logic, which violates secure coding practices for web applications and leads to CWE-79 (Improper Neutralization of Input During Web Page Generation).

The impact of CVE-2024-1582 is primarily on the confidentiality and integrity of affected WordPress sites. Successful exploitation allows authenticated users with contributor or higher roles to inject persistent malicious scripts that execute in the context of other users' browsers. This can lead to theft of session cookies, enabling attackers to impersonate administrators or other users, potentially resulting in full site compromise. Additionally, attackers can deface websites, redirect users to malicious sites, or deploy further client-side attacks such as malware distribution. While availability impact is minimal, the reputational damage and potential data breaches can be significant. Organizations relying on WP Go Maps for location services on their WordPress sites are at risk, especially if they allow contributor-level users or have weak user management policies. The vulnerability also increases the attack surface for phishing and social engineering campaigns targeting site users. Given WordPress's global market share and the plugin's popularity, the threat can affect a broad range of sectors including e-commerce, education, government, and media worldwide.

To mitigate CVE-2024-1582, organizations should immediately update the WP Go Maps plugin to a version that addresses this vulnerability once available. In the absence of a patch, administrators should restrict contributor-level permissions and review user roles to limit who can add or edit content containing the 'wpgmza' shortcode. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injections in shortcode attributes can provide temporary protection. Additionally, site owners should audit existing content for injected scripts and remove any suspicious entries. Enforcing Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Developers maintaining the plugin should apply secure coding practices including rigorous input validation, output encoding, and use of WordPress security APIs for shortcode processing. Regular security scanning and monitoring for anomalous behavior related to shortcode usage are also recommended. Finally, educating content contributors about the risks of injecting untrusted code and enforcing strict content review workflows can reduce exploitation likelihood.