CVE-2024-1977 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the Restaurant Solutions – Checklist plugin for WordPress, specifically version 1.0.0. The flaw stems from insufficient sanitization and escaping of user input in the checklist points feature. Authenticated users with administrator-level privileges can inject arbitrary JavaScript code into pages generated by the plugin. Because the vulnerability is stored, the malicious script persists in the database and executes whenever any user accesses the infected page, potentially leading to session hijacking, privilege escalation, or other malicious actions. This vulnerability only manifests in multi-site WordPress installations or those where the unfiltered_html capability is disabled, limiting its scope. The attack vector requires network access (remote) and high privileges (administrator), with no user interaction needed beyond page access. The CVSS 3.1 base score is 4.4, indicating a medium severity level due to the combination of privilege requirements and limited impact on availability. No patches or exploits are currently publicly available, but the vulnerability is published and should be addressed promptly.

The primary impact of this vulnerability is the potential for stored XSS attacks that can compromise the confidentiality and integrity of user sessions and data. An attacker with administrator access can inject malicious scripts that execute in the context of other users, potentially leading to session hijacking, defacement, or unauthorized actions performed on behalf of users. While availability is not directly affected, the trustworthiness of the affected WordPress sites can be undermined. The requirement for administrator privileges and multi-site or unfiltered_html-disabled configurations limits the attack surface, but organizations running multi-site WordPress environments with this plugin are at risk. Exploitation could lead to broader compromise if attackers leverage the XSS to escalate privileges or move laterally within the network. The lack of known exploits reduces immediate risk, but the vulnerability remains a significant concern for affected installations.

To mitigate CVE-2024-1977, organizations should first verify if they are running the Restaurant Solutions – Checklist plugin version 1.0.0 in a multi-site WordPress environment or with unfiltered_html disabled. Immediate mitigation includes restricting administrator access to trusted personnel only and auditing existing checklist points for suspicious scripts. Since no official patch is currently available, consider disabling or uninstalling the plugin until a fix is released. Implementing a Web Application Firewall (WAF) with rules to detect and block XSS payloads targeting this plugin can provide temporary protection. Additionally, enabling Content Security Policy (CSP) headers can help reduce the impact of injected scripts. Regularly monitor WordPress security advisories for updates or patches. Finally, ensure that all WordPress core and plugins are kept up to date to minimize exposure to similar vulnerabilities.