CVE-2024-3670 is a stored cross-site scripting (XSS) vulnerability identified in the Leaflet Maps Marker plugin for WordPress, which integrates mapping services such as Google Maps, OpenStreetMap, and Bing Maps. The vulnerability exists due to improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of user-supplied attributes in the plugin's 'mapsmarker' shortcode, notably the 'mapwidthunit' attribute. This flaw allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages or posts. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress environment. The vulnerability affects all versions up to and including 3.12.8. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No public exploits have been reported yet, but the vulnerability poses a significant risk due to the widespread use of the plugin in WordPress sites. The root cause is inadequate input validation and output encoding in the plugin's shortcode processing logic, which fails to neutralize malicious payloads embedded in shortcode attributes.

The primary impact of CVE-2024-3670 is the compromise of confidentiality and integrity within affected WordPress sites using the Leaflet Maps Marker plugin. An attacker with contributor-level access can inject persistent malicious scripts that execute in the context of site visitors and administrators, potentially stealing authentication cookies, performing actions on behalf of users, or defacing content. This can lead to unauthorized access, data leakage, and reputational damage. Since the vulnerability requires authenticated access, it limits exploitation to insiders or compromised accounts but remains a serious threat in environments with multiple contributors or weak account controls. The vulnerability does not directly affect availability but can indirectly cause service disruption through malicious actions or cleanup efforts. Organizations relying on this plugin for map functionality on their WordPress sites, especially those with multiple content contributors, face increased risk of targeted attacks and broader compromise if attackers leverage this flaw to escalate privileges or pivot to other parts of the infrastructure.

To mitigate CVE-2024-3670, organizations should immediately update the Leaflet Maps Marker plugin to a patched version once released by the vendor. Until an official patch is available, administrators should restrict contributor-level and higher permissions to trusted users only and audit existing user accounts for suspicious activity. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script payloads in shortcode attributes can reduce exploitation risk. Additionally, site owners should enable Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Regularly scanning WordPress sites for injected scripts and monitoring logs for unusual shortcode usage patterns can help detect exploitation attempts. Educating contributors about safe content practices and enforcing strong authentication mechanisms (e.g., MFA) further reduces the risk of account compromise and subsequent exploitation.