CVE-2024-3677 is a stored cross-site scripting (XSS) vulnerability identified in the Ultimate 410 Gone Status Code plugin for WordPress, affecting all versions up to and including 1.1.4. The vulnerability arises from improper neutralization of input during web page generation, specifically in the handling of 410 error entries. Authenticated users with contributor-level privileges or higher can inject arbitrary JavaScript code into the 410 error pages because the plugin fails to sufficiently sanitize input and escape output. This malicious code is stored persistently and executed in the browsers of any users who visit the affected pages, potentially compromising user sessions, stealing cookies, or performing actions on behalf of the victim. The attack vector is remote over the network, with low attack complexity and no need for user interaction, but it requires authenticated access with contributor or higher privileges. The vulnerability affects the confidentiality and integrity of affected WordPress sites and their users but does not impact availability. The CVSS 3.1 base score is 6.4, reflecting a medium severity level. Notably, the vulnerability is specific to the WordPress plugin and does not affect the TinyWeb browser, despite the shared author name. No public exploits have been reported yet, but the presence of stored XSS in a popular CMS plugin represents a significant risk if left unpatched.

For European organizations, this vulnerability poses a risk primarily to websites running WordPress with the Ultimate 410 Gone Status Code plugin installed. Exploitation could lead to unauthorized script execution in users' browsers, enabling session hijacking, credential theft, defacement, or redirection to malicious sites. This can damage organizational reputation, lead to data breaches, and violate data protection regulations such as GDPR if personal data is compromised. Since the attack requires contributor-level access, insider threats or compromised accounts are the main vectors. The vulnerability could be leveraged to escalate attacks within an organization’s web infrastructure or target customers and partners. Given the widespread use of WordPress across Europe, especially among SMEs and public sector entities, the impact could be broad if the plugin is in use. The medium severity rating suggests moderate urgency but should not be underestimated due to the stored nature of the XSS and potential for persistent exploitation.

European organizations should immediately audit their WordPress installations to identify the presence of the Ultimate 410 Gone Status Code plugin. If found, they should upgrade to a patched version once available or remove/disable the plugin until a fix is released. In the absence of an official patch, organizations can implement input validation and output escaping at the application or web server level to neutralize malicious scripts in 410 error entries. Restrict contributor-level access strictly to trusted users and monitor for suspicious activity or unauthorized content changes. Employ Web Application Firewalls (WAFs) with rules to detect and block common XSS payloads targeting the plugin’s endpoints. Regularly review user permissions and conduct security awareness training to reduce insider risks. Additionally, implement Content Security Policy (CSP) headers to limit the impact of any injected scripts. Continuous monitoring and logging of web traffic and user actions can help detect exploitation attempts early.