CVE-2024-4895 is a stored cross-site scripting (XSS) vulnerability identified in the wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin, which is widely used to create dynamic tables and charts within WordPress sites. The vulnerability exists in all plugin versions up to and including 3.4.2.12 and stems from improper neutralization of input during web page generation, specifically in the CSV import functionality. Due to insufficient input sanitization and lack of proper output escaping, an unauthenticated attacker can craft malicious CSV files containing embedded JavaScript payloads. When these files are imported into the plugin, the malicious scripts are stored persistently and executed in the context of any user who views the affected page. This stored XSS can lead to session hijacking, defacement, or redirection to malicious sites. The vulnerability has a CVSS 3.1 base score of 4.7, indicating medium severity, with attack vector being network-based, no privileges required, but requiring user interaction (viewing the infected page), and high attack complexity. The scope is changed as the vulnerability affects the confidentiality and integrity of user data. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability is tracked under CWE-79, a common and critical web security issue.

The impact of CVE-2024-4895 on organizations worldwide can be significant, especially for those relying on the wpDataTables plugin for data presentation on WordPress sites. Successful exploitation allows attackers to inject persistent malicious scripts that execute in the browsers of site visitors or administrators. This can lead to theft of authentication cookies, enabling account takeover, unauthorized actions on behalf of users, defacement of websites, or distribution of malware. The vulnerability affects confidentiality and integrity but does not directly impact availability. Since the attack requires user interaction (visiting a compromised page), the risk is somewhat mitigated but still substantial given the popularity of WordPress and the plugin. Organizations with high-traffic WordPress sites, especially those handling sensitive user data or administrative functions, face increased risk. Additionally, the presence of unauthenticated exploitation means attackers can target any vulnerable site without needing credentials, increasing the attack surface. The lack of known exploits in the wild suggests limited active exploitation currently, but the vulnerability's nature makes it a likely target for future attacks.

To mitigate CVE-2024-4895, organizations should immediately update the wpDataTables plugin to a patched version once available. In the absence of an official patch, administrators should restrict or disable the CSV import functionality to prevent injection of malicious scripts. Implement strict input validation and sanitization on all imported CSV data, ensuring that any HTML or JavaScript content is neutralized before storage or rendering. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. Monitor web server and application logs for unusual activity related to CSV imports or page views. Educate users and administrators about the risks of interacting with untrusted content on the site. Additionally, consider using web application firewalls (WAFs) with rules to detect and block XSS payloads targeting the plugin. Regularly audit and scan WordPress installations for outdated plugins and known vulnerabilities. Finally, maintain backups and incident response plans to quickly recover from potential compromises.