CVE-2024-1787 is a stored cross-site scripting (XSS) vulnerability identified in the Contests by Rewards Fuel plugin for WordPress, affecting all versions up to and including 2.0.64. The root cause is insufficient sanitization and escaping of the 'update_rewards_fuel_api_key' parameter, which allows authenticated users with contributor-level access or higher to inject arbitrary JavaScript code into pages generated by the plugin. This malicious code is stored persistently and executed in the browsers of users who visit the affected pages, enabling attackers to perform actions such as session hijacking, privilege escalation, or unauthorized modifications within the WordPress environment. The vulnerability has a CVSS 3.1 score of 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges (PR:L), no user interaction, and a scope change (S:C). The impact affects confidentiality and integrity but not availability. No public exploits have been reported yet, but the vulnerability poses a significant risk due to the widespread use of WordPress and the plugin's role in managing contests and rewards, which often involve user interaction and data. The vulnerability was published on March 20, 2024, and assigned by Wordfence. Currently, no official patches or updates have been linked, so mitigation relies on access control and monitoring.

The vulnerability allows attackers with contributor-level access to inject persistent malicious scripts, which can compromise the confidentiality and integrity of WordPress sites using the Contests by Rewards Fuel plugin. Potential impacts include theft of authentication cookies, enabling session hijacking, unauthorized actions performed on behalf of other users, and possible defacement or manipulation of contest data. Since contributors typically have limited privileges, the risk is somewhat contained, but if higher privilege accounts are compromised, the impact escalates. The scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the initially compromised component, potentially impacting the entire WordPress site. This can lead to reputational damage, loss of user trust, and regulatory compliance issues for organizations relying on the plugin for contest management. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often target popular CMS plugins. Organizations worldwide using this plugin are at risk, particularly those with contributor-level users who may be less security-aware.

1. Immediately restrict contributor-level access to trusted users only and review existing contributor accounts for suspicious activity. 2. Implement strict input validation and output encoding on all user-supplied data, especially the 'update_rewards_fuel_api_key' parameter, if custom modifications are possible. 3. Monitor WordPress logs and plugin-related pages for unusual script injections or unexpected JavaScript code. 4. Disable or remove the Contests by Rewards Fuel plugin if it is not essential until an official patch or update is released. 5. Employ Web Application Firewalls (WAFs) with rules to detect and block common XSS payloads targeting this plugin. 6. Educate site administrators and contributors about the risks of XSS and safe content management practices. 7. Once available, promptly apply official patches or updates from the plugin vendor. 8. Consider implementing Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. 9. Regularly back up site data to enable recovery in case of compromise.