CVE-2024-1761 is a stored cross-site scripting vulnerability classified under CWE-79 affecting the WP Chat App plugin for WordPress, versions up to and including 3.6.1. The root cause is insufficient sanitization and escaping of user-supplied input fields such as 'buttonColor' and 'phoneNumber' in the plugin's widget or block components. This flaw allows authenticated attackers with contributor-level or higher privileges to inject arbitrary JavaScript code into pages generated by the plugin. When other users access these pages, the injected scripts execute in their browsers within the context of the vulnerable site, potentially leading to session hijacking, privilege escalation, or unauthorized actions. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting a medium severity level. The attack vector is network-based, with low complexity, requiring privileges but no user interaction. The scope is changed (S:C) because the vulnerability can affect other users beyond the attacker. No known public exploits have been reported yet, but the vulnerability poses a significant risk given the widespread use of WordPress and the plugin. The vulnerability highlights the importance of proper input validation and output encoding in web applications, especially for user-controllable attributes in dynamic content generation.

The primary impact of CVE-2024-1761 is the potential compromise of user confidentiality and integrity on affected WordPress sites. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of site visitors or administrators, enabling session hijacking, theft of sensitive information, unauthorized actions on behalf of users, or defacement of site content. While availability is not directly impacted, the reputational damage and potential data breaches can be significant. Organizations relying on the WP Chat App plugin expose themselves to risks of targeted attacks, especially if contributor accounts are compromised or misused. The vulnerability can facilitate lateral movement within the site and potentially escalate privileges if combined with other flaws. Given WordPress's extensive use worldwide, this vulnerability could affect a broad range of organizations, including small businesses, blogs, and enterprises using the plugin for customer interaction.

To mitigate CVE-2024-1761, organizations should immediately update the WP Chat App plugin to a patched version once released by the vendor. Until a patch is available, restrict contributor-level permissions to trusted users only and audit existing contributor accounts for suspicious activity. Implement web application firewall (WAF) rules to detect and block common XSS payloads targeting the vulnerable parameters ('buttonColor', 'phoneNumber'). Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. Regularly review and sanitize all user inputs in custom WordPress plugins or themes to prevent similar vulnerabilities. Additionally, monitor logs for unusual activity indicative of exploitation attempts. Educate site administrators and contributors about the risks of XSS and safe content management practices. Finally, consider disabling or replacing the WP Chat App plugin if immediate patching is not feasible.