CVE-2024-3677 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, affecting the Ultimate 410 Gone Status Code plugin for WordPress developed by tinyweb. The vulnerability exists in all versions up to and including 1.1.4 due to insufficient sanitization of user input and inadequate output escaping when processing 410 entries. Authenticated users with contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into pages managed by the plugin. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress environment. The vulnerability does not require user interaction beyond visiting the compromised page but does require authentication, limiting the attack surface to users with some level of access. The CVSS 3.1 base score is 6.4, indicating a medium severity with network attack vector, low attack complexity, privileges required, no user interaction, and partial impact on confidentiality and integrity. No public exploits have been reported yet, but the vulnerability poses a significant risk to sites using this plugin, especially those with multiple contributors or editors. It is important to note that the vulnerability is specific to the WordPress plugin and does not affect the TinyWeb browser, despite the shared name. The issue stems from improper neutralization of input during web page generation, a common cause of stored XSS vulnerabilities in web applications.

The primary impact of CVE-2024-3677 is the compromise of confidentiality and integrity within affected WordPress sites using the Ultimate 410 Gone Status Code plugin. Exploitation allows authenticated contributors or higher to inject malicious scripts that execute in the context of other users’ browsers, potentially leading to session hijacking, theft of sensitive information such as cookies or credentials, unauthorized actions performed on behalf of other users, and defacement or redirection attacks. While availability is not directly impacted, the loss of trust and potential data breaches can have severe reputational and operational consequences. Organizations with multiple contributors or editors are at higher risk, as the attacker needs authenticated access but only at a contributor level. The vulnerability could be leveraged in targeted attacks against organizations relying on this plugin, especially those with valuable or sensitive content. Since no known exploits are currently in the wild, the risk is moderate but could increase rapidly once exploit code becomes available. The medium CVSS score reflects this balance of exploitability and impact.

1. Immediate mitigation involves updating the Ultimate 410 Gone Status Code plugin to a patched version once released by the vendor. Since no patch links are currently available, monitor official sources for updates. 2. Restrict contributor-level access and above to trusted users only, minimizing the risk of malicious script injection. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious script payloads in 410 entries or other plugin inputs. 4. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected pages. 5. Regularly audit and sanitize existing 410 entries for injected scripts and remove any malicious content. 6. Educate site administrators and contributors about the risks of XSS and safe content management practices. 7. Consider disabling or replacing the plugin if immediate patching is not feasible, especially in high-risk environments. 8. Monitor logs and user activity for signs of exploitation attempts or unusual behavior related to the plugin. These steps go beyond generic advice by focusing on access control, proactive content review, and layered defenses.