CVE-2024-45456 identifies a stored cross-site scripting vulnerability in the JoomUnited WP Meta SEO plugin for WordPress, affecting all versions up to and including 4.5.13. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, which allows malicious scripts to be stored persistently within the application. When other users or administrators view the affected pages, the injected scripts execute in their browsers, potentially compromising session tokens, redirecting users to malicious websites, or enabling further attacks such as privilege escalation or data theft. The vulnerability does not require authentication, increasing its risk profile, and can be exploited remotely by submitting crafted input through the plugin's interface. Although no public exploits have been observed, the widespread use of WordPress and the popularity of SEO plugins make this a notable threat. The absence of a CVSS score suggests the need for an independent severity assessment based on the vulnerability's characteristics. The stored XSS nature means the malicious payload persists until removed, increasing the attack surface. The vulnerability was officially published on September 15, 2024, with no patch links currently available, indicating that mitigation relies on vendor updates or temporary workarounds.

The impact of CVE-2024-45456 is significant for organizations using the WP Meta SEO plugin, as stored XSS vulnerabilities can lead to session hijacking, unauthorized actions performed on behalf of users, defacement of websites, and distribution of malware through injected scripts. Attackers can exploit this flaw to compromise the confidentiality and integrity of user data and potentially disrupt availability by injecting disruptive scripts. Since the vulnerability does not require authentication, any visitor or attacker with access to input fields can exploit it, broadening the scope of affected systems. This can damage organizational reputation, lead to regulatory compliance issues, and cause financial losses due to remediation costs and potential data breaches. The persistent nature of stored XSS means that once exploited, the malicious code remains active until detected and removed, increasing the risk of prolonged compromise. Organizations with high-traffic websites or those handling sensitive user information are particularly vulnerable.

To mitigate CVE-2024-45456, organizations should immediately monitor for updates or patches released by JoomUnited and apply them as soon as they become available. In the interim, implement strict input validation and output encoding on all user-supplied data processed by the WP Meta SEO plugin to prevent malicious scripts from being stored or executed. Employ Web Application Firewalls (WAFs) with rules designed to detect and block typical XSS payloads targeting WordPress plugins. Conduct regular security audits and scanning of the website to identify and remove any injected malicious scripts. Limit user permissions to reduce the risk of exploitation by unauthorized users. Educate administrators and users about the risks of XSS and encourage vigilance for unusual website behavior. Additionally, consider disabling or replacing the plugin if a timely patch is not forthcoming and the risk is deemed unacceptable.