CVE-2024-3023 is a stored cross-site scripting (XSS) vulnerability identified in the AnnounceKit plugin for WordPress, affecting all versions up to and including 2.0.9. The root cause is improper neutralization of input during web page generation, specifically due to insufficient input sanitization and output escaping in the plugin's administrative settings interface. This vulnerability is exploitable only in multi-site WordPress installations where the unfiltered_html capability is disabled, which restricts users from posting unfiltered HTML content. An attacker with administrator-level privileges or higher can inject arbitrary JavaScript code into the plugin's settings. When other users access the affected pages, the injected scripts execute in their browsers, potentially allowing the attacker to steal session cookies, perform actions on behalf of users, or manipulate page content. The vulnerability requires authenticated access with high privileges, no user interaction is needed for the payload to execute once injected, and the scope is limited to multi-site environments. The CVSS v3.1 base score is 4.4 (medium severity), reflecting the network attack vector, high attack complexity, required privileges, no user interaction, and limited impact on confidentiality and integrity without availability impact. No public exploit code or widespread exploitation has been reported to date. The vulnerability highlights the importance of proper input validation and output encoding in WordPress plugins, especially those managing administrative settings in multi-site contexts.

The primary impact of this vulnerability is the potential for stored cross-site scripting attacks, which can compromise the confidentiality and integrity of user sessions and data within affected WordPress multi-site environments. An attacker with administrator privileges can inject malicious scripts that execute in the browsers of other users accessing the compromised pages, potentially leading to session hijacking, unauthorized actions, or defacement. Although the vulnerability does not directly affect system availability, the resulting trust erosion and potential data leakage can have significant reputational and operational consequences. Organizations running multi-site WordPress installations with the AnnounceKit plugin are at risk, particularly if they have multiple administrators or users with elevated privileges. The requirement for high privileges limits the attack surface but does not eliminate risk, especially in environments with multiple administrators or where credential compromise is possible. The absence of known exploits in the wild reduces immediate risk but does not preclude future exploitation. Overall, the vulnerability could facilitate targeted attacks against organizations relying on this plugin for announcements or notifications, potentially impacting internal communications and user trust.

To mitigate CVE-2024-3023, organizations should first update the AnnounceKit plugin to a version that addresses this vulnerability once available. In the absence of an official patch, administrators should restrict the number of users with administrator-level permissions to minimize the risk of malicious script injection. Additionally, review and tighten access controls on multi-site WordPress installations, ensuring that only trusted personnel have high-level privileges. Implement web application firewalls (WAFs) with rules designed to detect and block common XSS payloads targeting the plugin's admin settings pages. Regularly audit plugin configurations and content for suspicious scripts or unauthorized changes. Consider enabling Content Security Policy (CSP) headers to limit the execution of injected scripts. Finally, educate administrators about the risks of injecting untrusted content and encourage the use of security best practices for plugin management and WordPress multi-site administration.