CVE-2024-3341 is a stored cross-site scripting vulnerability classified under CWE-79, affecting the 'Shortcodes and extra features for Phlox theme' WordPress plugin developed by averta. The vulnerability exists in the 'aux_gmaps' shortcode, which fails to properly sanitize and escape user-supplied attributes before rendering them on web pages. This flaw allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing unauthorized actions on their behalf. The vulnerability affects all plugin versions up to and including 2.15.5. The CVSS 3.1 base score is 6.4, reflecting a network attack vector, low attack complexity, requiring privileges (PR:L), no user interaction, and a scope change with low confidentiality and integrity impacts but no availability impact. No patches or exploit code are currently publicly available, but the risk remains significant due to the widespread use of WordPress and the plugin’s popularity. The vulnerability is particularly dangerous in multi-user environments where contributors can add content, as it enables persistent script injection that affects all visitors to the compromised pages.

The primary impact of this vulnerability is the compromise of confidentiality and integrity for users visiting affected WordPress sites. Attackers with contributor-level access can inject malicious scripts that execute in the context of other users’ browsers, potentially leading to session hijacking, theft of sensitive information, defacement, or unauthorized actions performed on behalf of users. This can damage the reputation of affected organizations, lead to data breaches, and cause loss of user trust. Since the vulnerability is stored XSS, the malicious payload persists on the server and affects all visitors to the infected pages, amplifying the potential damage. Organizations with multiple content contributors or public-facing WordPress sites are at higher risk. Although availability is not directly impacted, the indirect effects such as site blacklisting by search engines or browsers can cause operational disruptions. The requirement for authenticated access limits exploitation to insiders or compromised accounts, but this does not eliminate risk, especially in environments with many contributors or weak access controls.

1. Upgrade the 'Shortcodes and extra features for Phlox theme' plugin to a version that addresses this vulnerability once available. 2. Until a patch is released, restrict contributor-level and higher permissions to trusted users only and review existing users for unnecessary privileges. 3. Implement a Web Application Firewall (WAF) with rules to detect and block malicious script injections targeting the 'aux_gmaps' shortcode parameters. 4. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on the website. 5. Conduct regular security audits and code reviews of custom shortcodes or plugins to ensure proper input validation and output encoding. 6. Educate content contributors about the risks of injecting untrusted content and enforce strict content submission guidelines. 7. Monitor website logs and user activity for suspicious behavior indicative of exploitation attempts. 8. Consider disabling or removing the vulnerable shortcode if it is not essential to site functionality until a secure update is available.