CVE-2024-3030 is a stored cross-site scripting vulnerability identified in the Announce from the Dashboard plugin for WordPress, affecting all versions up to and including 1.5.2. The root cause is insufficient sanitization and escaping of input fields within the plugin's admin settings, which allows an attacker with administrator-level permissions to inject arbitrary JavaScript code. This malicious script is stored persistently and executed whenever any user accesses the compromised page, leading to potential session hijacking, defacement, or further exploitation. The vulnerability specifically impacts WordPress multi-site installations or those where the unfiltered_html capability is disabled, limiting the scope of affected environments. Exploitation requires authenticated access with high privileges, and no user interaction is necessary once the payload is injected. The CVSS 3.1 base score of 4.4 reflects a medium severity rating, considering the network attack vector, high attack complexity, and requirement for privileges. No public exploits have been reported yet, but the vulnerability poses a risk to organizations relying on this plugin for multi-site WordPress management. The vulnerability is tracked under CWE-79, which pertains to improper neutralization of input during web page generation, a common vector for XSS attacks.

The primary impact of CVE-2024-3030 is the potential for attackers with administrator privileges to execute arbitrary JavaScript in the context of affected WordPress sites. This can lead to session hijacking, credential theft, unauthorized actions on behalf of users, defacement, or distribution of malware. Since the vulnerability affects multi-site installations, the attacker could potentially compromise multiple sites within the network, amplifying the damage. However, the requirement for administrator-level access significantly reduces the likelihood of exploitation by external attackers without prior compromise. The vulnerability does not affect availability but impacts confidentiality and integrity of data and user sessions. Organizations using this plugin in multi-site environments face increased risk of lateral movement and persistent compromise if exploited. The absence of known exploits in the wild suggests limited active threat currently, but the vulnerability should be treated seriously due to the sensitive nature of administrator privileges and potential cascading effects in multi-site setups.

To mitigate CVE-2024-3030, organizations should first verify if they are running the Announce from the Dashboard plugin in a multi-site WordPress environment or with unfiltered_html disabled. Immediate steps include updating the plugin to a patched version once available or disabling the plugin until a fix is released. If patching is not immediately possible, restrict administrator access to trusted personnel only and monitor admin settings for unauthorized changes. Implement Web Application Firewall (WAF) rules to detect and block suspicious script injection patterns targeting the plugin’s admin pages. Additionally, enforce Content Security Policy (CSP) headers to limit the execution of injected scripts. Regularly audit multi-site WordPress installations for unusual activity and review user privileges to minimize the risk of insider threats. Finally, educate administrators on the risks of XSS and the importance of input validation and output escaping in custom plugins or themes.