CVE-2024-4703 identifies a stored cross-site scripting (XSS) vulnerability in the horearadu One Page Express Companion plugin for WordPress, specifically in the one_page_express_contact_form shortcode. This vulnerability exists due to improper neutralization of user-supplied input during web page generation, classified under CWE-79. The plugin fails to adequately sanitize and escape attributes provided by authenticated users with contributor-level access or higher, allowing them to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially compromising their session tokens, redirecting them to malicious sites, or performing unauthorized actions on their behalf. The vulnerability affects all plugin versions up to and including 1.6.37. The CVSS v3.1 base score is 6.4, reflecting a medium severity level, with an attack vector of network, low attack complexity, requiring privileges (contributor or above), no user interaction, and a scope change. No public exploits have been reported yet. The vulnerability's impact is primarily on confidentiality and integrity, with no direct availability impact. The flaw is significant because contributor-level users are often trusted and may be numerous in some WordPress installations, increasing the risk of exploitation. The lack of patches at the time of reporting necessitates immediate attention from administrators to mitigate risk.

The primary impact of CVE-2024-4703 is the potential compromise of user confidentiality and integrity within affected WordPress sites. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of site visitors, including administrators and other privileged users. This can lead to session hijacking, unauthorized actions performed with victim privileges, defacement, or redirection to phishing or malware sites. Although the vulnerability does not directly affect availability, the resulting trust erosion and potential data breaches can have significant reputational and operational consequences. Organizations relying on the One Page Express Companion plugin may face increased risk of targeted attacks, especially if contributor accounts are compromised or misused. The vulnerability is particularly concerning for high-traffic websites, multi-author blogs, or sites with sensitive user data. Since exploitation requires authenticated access, the risk is somewhat mitigated but remains substantial in environments with multiple contributors or weak account controls.

To mitigate CVE-2024-4703, organizations should: 1) Monitor for and apply official patches or updates from the plugin vendor as soon as they become available. 2) Restrict contributor-level access strictly to trusted users and review user roles regularly to minimize the number of accounts with such privileges. 3) Implement strong authentication mechanisms, including multi-factor authentication, to reduce the risk of account compromise. 4) Employ web application firewalls (WAFs) with rules designed to detect and block XSS payloads, especially on pages using the vulnerable shortcode. 5) Conduct regular security audits and code reviews of custom shortcodes or plugins to identify similar input validation issues. 6) Educate content contributors about safe content practices and the risks of injecting untrusted code. 7) Consider temporarily disabling or removing the One Page Express Companion plugin if immediate patching is not possible and the risk is unacceptable. 8) Use Content Security Policy (CSP) headers to limit the impact of injected scripts by restricting script sources.