CVE-2024-3883 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the 3D FlipBook – PDF Flipbook plugin for WordPress developed by iberezansky. The vulnerability exists in all versions up to and including 1.15.4 and is due to improper neutralization of input during web page generation. Specifically, the Bookmark URL field does not properly sanitize or escape user-supplied input, allowing authenticated users with author-level access or higher to inject arbitrary JavaScript code. This malicious code is stored persistently and executed in the context of any user who views the affected page, potentially leading to session hijacking, privilege escalation, or unauthorized actions performed on behalf of the victim. The vulnerability requires no user interaction beyond viewing the infected page but does require the attacker to have author-level privileges, which limits the attack surface to environments where multiple users have elevated access. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, privileges required, no user interaction, and a scope change. The impact affects confidentiality and integrity but not availability. No public exploits have been reported yet, but the vulnerability is published and should be addressed promptly. The lack of patch links suggests that users should monitor vendor updates or apply manual mitigations.

The primary impact of CVE-2024-3883 is the compromise of confidentiality and integrity within WordPress sites using the vulnerable 3D FlipBook plugin. An attacker with author-level access can inject malicious scripts that execute in the browsers of users viewing the infected pages. This can lead to theft of session cookies, unauthorized actions performed with the victim's privileges, defacement, or distribution of malware. Although availability is not directly affected, the breach of trust and potential data leakage can have significant reputational and operational consequences. Organizations with multi-author WordPress environments, such as news sites, blogs, or corporate intranets, are particularly at risk. The requirement for author-level access reduces the likelihood of exploitation by external unauthenticated attackers but does not eliminate insider threats or compromised accounts. The vulnerability could be leveraged in targeted attacks or combined with other vulnerabilities for privilege escalation. Given WordPress's widespread use globally, the impact could be broad if not mitigated.

To mitigate CVE-2024-3883, organizations should first check for updates from the plugin vendor and apply any official patches as soon as they become available. In the absence of an official patch, administrators should restrict author-level access to trusted users only and audit existing users for unnecessary elevated privileges. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injections in the Bookmark URL field can provide temporary protection. Additionally, site administrators should enable Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Regularly scanning the website for injected scripts and monitoring logs for suspicious activity can help detect exploitation attempts. Educating authors and contributors about safe input practices and the risks of XSS can reduce accidental introduction of malicious content. Finally, consider disabling or replacing the vulnerable plugin if it is not essential or if no timely patch is available.