CVE-2024-1805 is a stored cross-site scripting vulnerability classified under CWE-80, affecting the WPBakery Visual Composer plugin for WordPress in all versions up to and including 7.5. The root cause is insufficient input sanitization and output escaping of the button onclick attribute, which allows authenticated users with contributor-level or higher privileges to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers within the context of the vulnerable website. This can lead to a range of attacks including session hijacking, theft of sensitive information, unauthorized actions on behalf of users, or defacement of the website. The vulnerability requires authentication but no user interaction to trigger the payload once injected. The CVSS v3.1 score is 6.4, reflecting network attack vector, low attack complexity, privileges required, no user interaction, and partial impact on confidentiality and integrity. No public exploit code or active exploitation has been reported yet. The vulnerability highlights the importance of robust input validation and output encoding in web applications, especially for plugins that allow content creation by multiple users. WPBakery Visual Composer is widely used in WordPress sites for page building, making this vulnerability relevant to a large number of websites globally.

The impact of CVE-2024-1805 can be significant for organizations using WPBakery Visual Composer, particularly those with multiple contributors or public-facing websites. Successful exploitation allows an attacker with contributor or higher privileges to inject persistent malicious scripts that execute in the browsers of any user visiting the compromised pages. This can lead to session hijacking, enabling attackers to impersonate users including administrators, data theft, unauthorized actions such as content modification or privilege escalation, and reputational damage due to defacement or malware distribution. Although the attack requires authenticated access, contributor-level permissions are common in collaborative environments, increasing the risk. The vulnerability affects confidentiality and integrity but not availability. Organizations relying on WordPress sites for business operations, e-commerce, or content delivery may face data breaches, loss of customer trust, and compliance issues if exploited. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as exploit code may emerge.

To mitigate CVE-2024-1805, organizations should immediately update WPBakery Visual Composer to a patched version once available. Until a patch is released, administrators should restrict contributor-level access to trusted users only and review existing content for suspicious scripts. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injections targeting the button onclick attribute can provide interim protection. Enforce strict input validation and output encoding policies for user-generated content in WordPress. Regularly audit user permissions and monitor logs for unusual activities related to content creation or modification. Educate content contributors about the risks of injecting scripts and enforce security best practices. Additionally, consider disabling or limiting the use of the vulnerable button onclick functionality if feasible. Backup website data frequently to enable recovery in case of compromise. Finally, maintain an incident response plan to quickly address any exploitation attempts.