CVE-2024-4632 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, affecting the WooCommerce Checkout & Funnel Builder by CartFlows plugin for WordPress. The vulnerability exists due to improper neutralization of input during web page generation, specifically in the 'custom_upload_mimes' function. This function fails to adequately sanitize and escape user-supplied input, allowing authenticated attackers with contributor-level or higher permissions to inject arbitrary JavaScript code into pages generated by the plugin. When other users visit these pages, the injected scripts execute in their browsers, potentially compromising session tokens, cookies, or enabling further attacks such as privilege escalation or data theft. The vulnerability affects all versions up to and including 2.0.7. The CVSS 3.1 base score is 6.4, reflecting a network attack vector, low attack complexity, required privileges at the contributor level, no user interaction, and a scope change due to impact on other users. No patches or exploit code are currently publicly available, but the risk remains significant due to the plugin's popularity in WooCommerce-based e-commerce sites. The vulnerability highlights the importance of strict input validation and output encoding in WordPress plugin development, especially for plugins handling user-generated content or configurations.

The impact of CVE-2024-4632 is primarily on the confidentiality and integrity of affected websites and their users. Successful exploitation allows an attacker with contributor-level access to inject persistent malicious scripts, which execute in the context of other users’ browsers. This can lead to session hijacking, theft of sensitive information such as cookies or credentials, unauthorized actions performed on behalf of users, and potential privilege escalation if administrative users are targeted. For e-commerce sites using WooCommerce and CartFlows, this could result in compromised customer data, fraudulent transactions, and reputational damage. The vulnerability does not directly affect availability but can indirectly disrupt business operations through loss of customer trust or regulatory penalties. Given the widespread use of WordPress and WooCommerce globally, the scope of affected systems is large, increasing the potential scale of impact. Organizations that allow contributor-level permissions broadly or do not monitor plugin updates are at higher risk.

To mitigate CVE-2024-4632, organizations should immediately audit and restrict contributor-level permissions to trusted users only, minimizing the risk of malicious script injection. Administrators should monitor and apply security updates or patches from CartFlows as soon as they are released. In the absence of an official patch, temporarily disabling or removing the vulnerable plugin can reduce exposure. Employing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious script injections targeting the 'custom_upload_mimes' parameter can provide interim protection. Additionally, implementing Content Security Policy (CSP) headers can help limit the impact of injected scripts by restricting script execution sources. Regular security scanning and code review of plugins, especially those handling user inputs, should be part of the security hygiene. Logging and monitoring for unusual activities related to plugin pages can aid in early detection of exploitation attempts. Finally, educating users with contributor permissions about safe input practices and potential risks is beneficial.