CVE-2024-4045 is a stored cross-site scripting vulnerability classified under CWE-79, found in the Popup Builder by OptinMonster plugin for WordPress, which is widely used for creating popups to capture opt-ins, email newsletters, and lead generation. The vulnerability exists in all versions up to and including 2.16.1 due to insufficient input sanitization and output escaping of the 'campaign_id' parameter. Authenticated attackers with contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into pages generated by the plugin. Because the malicious script is stored, it executes every time a user visits the affected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability does not require user interaction beyond visiting the infected page and has a CVSS 3.1 base score of 6.4, reflecting its medium severity. The attack vector is network-based, with low attack complexity and privileges required, but no user interaction needed. Although no known exploits have been reported in the wild, the vulnerability poses a significant risk to WordPress sites using this plugin, especially those allowing contributor-level access to untrusted users. The scope is limited to sites with the vulnerable plugin installed, but the impact on confidentiality and integrity can be substantial if exploited.

The primary impact of CVE-2024-4045 is the compromise of confidentiality and integrity on affected WordPress sites. Attackers can inject malicious scripts that execute in the context of users visiting the infected pages, potentially leading to session hijacking, credential theft, defacement, or unauthorized actions performed with the victim's privileges. This can erode user trust, damage brand reputation, and lead to data breaches. Since the vulnerability requires contributor-level access, insider threats or compromised accounts pose a significant risk. The availability impact is minimal, but the overall risk to site security and user data is considerable. Organizations relying on the OptinMonster Popup Builder for lead generation and email marketing could face disruptions in their marketing operations and legal consequences if user data is compromised. The vulnerability also increases the attack surface for further exploitation, such as pivoting to more severe attacks or malware distribution.

To mitigate CVE-2024-4045, organizations should immediately update the Popup Builder by OptinMonster plugin to a version that addresses this vulnerability once available. Until a patch is released, restrict contributor-level permissions to trusted users only and audit existing contributor accounts for suspicious activity. Implement web application firewalls (WAFs) with rules to detect and block suspicious payloads targeting the 'campaign_id' parameter. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Regularly monitor logs for unusual behavior or script injections related to this plugin. Additionally, conduct security awareness training for users with elevated permissions to prevent social engineering attacks that could lead to account compromise. Finally, consider isolating or sandboxing critical WordPress instances to reduce the blast radius of potential exploitation.