CVE-2024-4821 is a stored cross-site scripting vulnerability classified under CWE-79, found in the WP Shortcodes Plugin — Shortcodes Ultimate, developed by gn_themes. This vulnerability exists in all plugin versions up to and including 7.1.6. The root cause is insufficient sanitization and escaping of user-supplied attributes in the su_lightbox shortcode, which is used to display content in lightbox overlays on WordPress sites. Authenticated attackers with contributor-level or higher privileges can inject arbitrary JavaScript code into pages or posts via this shortcode. Because the malicious script is stored persistently in the website’s content, it executes every time a user accesses the affected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of users. The vulnerability does not require user interaction beyond visiting the infected page and does not require elevated privileges beyond contributor access, which is commonly granted on many WordPress sites. The CVSS 3.1 score of 6.4 reflects a medium severity, with network attack vector, low attack complexity, and privileges required. The scope is changed as the vulnerability can affect other users viewing the injected content. No public exploits have been reported yet, but the vulnerability poses a significant risk due to WordPress’s widespread use and the commonality of the affected plugin. The absence of a patch link indicates that a fix may not yet be available, increasing urgency for mitigation.

The primary impact of CVE-2024-4821 is the compromise of confidentiality and integrity of user sessions and data on affected WordPress sites. Attackers can execute arbitrary JavaScript in the context of the vulnerable site, enabling theft of authentication cookies, redirection to malicious sites, defacement, or further exploitation such as privilege escalation or malware delivery. Since contributor-level users can exploit this, sites with multiple content editors or contributors are at higher risk. The vulnerability does not directly impact availability but can indirectly cause service disruption through defacement or administrative lockout. Organizations relying on the affected plugin for content management or marketing may suffer reputational damage and user trust loss if exploited. The widespread use of WordPress globally means the potential attack surface is large, especially for sites that allow contributor-level access without strict user management. The vulnerability’s stored nature means the malicious payload persists until removed, increasing exposure duration.

1. Immediately restrict contributor-level access to trusted users only, minimizing the risk of malicious shortcode injection. 2. Temporarily disable or remove the WP Shortcodes Plugin — Shortcodes Ultimate until a vendor patch is released. 3. Implement a Web Application Firewall (WAF) with rules to detect and block suspicious script injections in shortcode parameters. 4. Conduct a thorough audit of existing content for injected scripts, especially in pages using the su_lightbox shortcode, and remove any malicious code. 5. Enforce strict input validation and output escaping on all user-generated content, particularly shortcodes, using security plugins or custom code. 6. Monitor user activity logs for unusual contributor behavior indicative of exploitation attempts. 7. Stay updated with vendor announcements and apply patches promptly once available. 8. Educate content contributors about the risks of injecting untrusted code or scripts. 9. Consider implementing Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. 10. Backup site data regularly to enable recovery in case of compromise.