CVE-2024-1663 is a medium-severity vulnerability classified as CWE-79 (Cross-Site Scripting, XSS) found in the Ultimate Noindex Nofollow Tool II WordPress plugin versions prior to 1.3.6. This plugin fails to properly sanitize and escape certain settings, which can be manipulated by users with high privileges, such as administrators, to inject and store malicious scripts. Notably, this vulnerability can be exploited even when the WordPress capability 'unfiltered_html' is disabled, such as in multisite environments, which typically restricts HTML input to trusted users. The attack vector is network-based (AV:N), requires low attack complexity (AC:L), and demands high privileges (PR:H) with user interaction (UI:R). The vulnerability impacts confidentiality and integrity by allowing stored XSS attacks that could lead to session hijacking, privilege escalation, or unauthorized actions performed in the context of an authenticated administrator. The scope is changed (S:C), meaning the vulnerability can affect resources beyond the initially vulnerable component. The CVSS score of 4.8 reflects a medium severity level. No known exploits are currently reported in the wild, and no official patches have been linked, indicating that mitigation may rely on plugin updates or manual remediation. This vulnerability is particularly relevant in multisite WordPress deployments where multiple sites share a single WordPress installation, increasing the potential impact of a successful exploit.

For European organizations, especially those using WordPress multisite setups with the Ultimate Noindex Nofollow Tool II plugin, this vulnerability poses a risk of stored XSS attacks that could compromise administrative accounts. Exploitation could lead to unauthorized changes in site configurations, defacement, or the injection of malicious content that affects site visitors and users. Confidentiality of administrative sessions and data integrity could be compromised, potentially leading to broader network access if attackers leverage the foothold gained through XSS. Given the widespread use of WordPress in Europe for corporate websites, e-commerce, and government portals, the vulnerability could disrupt business operations, damage reputations, and lead to regulatory compliance issues under GDPR if personal data is exposed or manipulated. The requirement for high privileges limits the attack surface to trusted users, but insider threats or compromised admin accounts could still exploit this flaw. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits after public disclosure.

European organizations should immediately verify if they use the Ultimate Noindex Nofollow Tool II plugin, particularly in multisite WordPress environments. They should upgrade the plugin to version 1.3.6 or later once available. Until a patch is applied, administrators should restrict plugin access to the minimum necessary users and audit admin accounts for suspicious activity. Implementing Web Application Firewalls (WAF) with custom rules to detect and block typical XSS payloads targeting plugin settings can provide interim protection. Additionally, organizations should enforce strong authentication and session management policies to reduce the risk of compromised admin credentials. Regular security audits and monitoring of WordPress logs for unusual input or behavior related to plugin settings are recommended. If patching is delayed, consider disabling or removing the plugin temporarily to eliminate the attack vector. Educating administrators about the risks of stored XSS and safe input handling practices is also beneficial.