CVE-2024-3517 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-80, affecting the Shortcodes and extra features for Phlox theme WordPress plugin developed by averta. The vulnerability exists in the Accordion Widget component due to insufficient sanitization of user input and inadequate output escaping. Authenticated attackers with contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into pages via the widget. Because the malicious script is stored persistently, it executes in the context of any user who visits the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability affects all plugin versions up to and including 2.15.5. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with scope change. No public exploits have been reported yet, but the presence of contributor-level access as a prerequisite means that attackers must have some level of authenticated access, which is common in multi-user WordPress environments. The vulnerability highlights the risks of insufficient input validation in WordPress plugins, especially those that allow content manipulation by non-administrative users.

The impact of CVE-2024-3517 can be significant for organizations using the affected WordPress plugin, particularly those with multiple contributors or editors. Successful exploitation allows attackers to execute arbitrary JavaScript in the browsers of users viewing the compromised pages, potentially leading to session hijacking, theft of authentication tokens, defacement of website content, or redirection to malicious sites. This can undermine user trust, lead to data breaches, and facilitate further attacks such as privilege escalation or malware distribution. Since the vulnerability requires contributor-level access, insider threats or compromised contributor accounts pose a realistic risk. The scope of affected systems includes any WordPress site using the vulnerable plugin version, which may be widespread given the popularity of the Phlox theme and its extensions. Although no active exploits are known, the medium severity and ease of exploitation with low complexity make this a credible threat that could be leveraged in targeted attacks or automated campaigns if weaponized.

To mitigate CVE-2024-3517, organizations should immediately audit their WordPress installations to identify the use of the Shortcodes and extra features for Phlox theme plugin and verify the version in use. Since no patch links are currently provided, administrators should monitor the vendor's official channels for updates and apply patches promptly once available. In the interim, restrict contributor-level user privileges to trusted individuals only and consider temporarily disabling or removing the vulnerable Accordion Widget functionality. Implement additional input validation and output escaping controls at the application or web server level if possible. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious script injection attempts targeting the widget. Regularly review user accounts and activity logs to detect unauthorized access or anomalous behavior. Educate content contributors about the risks of injecting untrusted content and enforce strict content policies. Finally, ensure that all WordPress core and plugins are kept up to date to reduce exposure to similar vulnerabilities.