CVE-2024-4783 is a stored cross-site scripting (XSS) vulnerability identified in the jQuery T(-) Countdown Widget plugin for WordPress, affecting all versions up to and including 2.3.25. The vulnerability stems from improper neutralization of script-related HTML tags (CWE-80) due to insufficient input sanitization and output escaping of user-supplied attributes within the plugin's tminus shortcode. This flaw allows an authenticated attacker with contributor-level access or higher to inject arbitrary JavaScript code into pages or posts. When other users access these compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions performed on behalf of the victim. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), and a scope change (S:C) that affects confidentiality and integrity (C:L/I:L) but not availability (A:N). No patches are currently linked, and no known exploits have been reported in the wild. The vulnerability highlights the risks posed by insufficient input validation in widely used WordPress plugins, especially those that allow user-generated content or shortcode attributes. Attackers exploiting this vulnerability can compromise site visitors and administrators, undermining trust and security of affected websites.

The impact of CVE-2024-4783 is significant for organizations using the vulnerable jQuery T(-) Countdown Widget plugin on WordPress sites. Successful exploitation enables attackers with contributor-level access to inject persistent malicious scripts, which execute in the browsers of any user visiting the infected pages. This can lead to theft of authentication cookies, session tokens, or other sensitive information, enabling account takeover or privilege escalation. It may also facilitate further attacks such as phishing, malware distribution, or defacement. Since the vulnerability requires authenticated access, the risk is mitigated somewhat by internal controls on user roles, but many WordPress sites allow contributors or similar roles to add content, making exploitation feasible. The scope of affected systems is broad given WordPress's global popularity and the plugin's usage. Confidentiality and integrity of site data and user information are at risk, potentially damaging organizational reputation and user trust. Although availability is not directly impacted, indirect effects such as blacklisting by search engines or browsers could occur. Organizations with high-traffic websites or those handling sensitive user data face elevated risks.

To mitigate CVE-2024-4783, organizations should first verify if they are using the jQuery T(-) Countdown Widget plugin and identify the version in use. Since no official patch links are currently available, administrators should monitor the vendor's site and trusted security advisories for updates or patches and apply them promptly once released. In the interim, restrict contributor-level and higher privileges to trusted users only, minimizing the risk of malicious shortcode injection. Implement web application firewall (WAF) rules to detect and block suspicious script injections targeting shortcode parameters. Employ strict input validation and output encoding on all user-supplied content, especially shortcode attributes, to prevent script execution. Regularly audit site content for unauthorized scripts or modifications. Consider disabling or replacing the vulnerable plugin with a secure alternative if patching is delayed. Educate content contributors about secure content practices and the risks of injecting untrusted code. Finally, enable Content Security Policy (CSP) headers to reduce the impact of potential XSS attacks by restricting script sources.