CVE-2024-4939 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Weaver Xtreme Theme Support plugin for WordPress, affecting all versions up to and including 6.4. The root cause is insufficient sanitization and escaping of user-supplied input within the plugin's div shortcode attributes. This flaw allows authenticated attackers with contributor-level or higher privileges to inject arbitrary JavaScript code into pages. Because the malicious script is stored and rendered whenever the page is accessed, it can affect any user visiting the compromised page, including administrators. The vulnerability leverages CWE-79, which involves improper neutralization of input during web page generation. The CVSS 3.1 score of 6.4 reflects a medium severity with a network attack vector, low attack complexity, requiring privileges but no user interaction, and impacts confidentiality and integrity but not availability. Exploitation could enable session hijacking, unauthorized actions on behalf of users, or defacement. No public exploits have been reported yet, but the vulnerability's presence in a popular WordPress plugin makes it a notable risk. The plugin's widespread use in WordPress sites means many websites could be vulnerable if not updated or mitigated. The lack of official patches at the time of reporting necessitates immediate attention from site administrators.

The impact of CVE-2024-4939 is primarily on the confidentiality and integrity of affected WordPress sites. Successful exploitation allows an attacker with contributor-level access to inject persistent malicious scripts, which execute in the context of any user viewing the infected page. This can lead to session hijacking, theft of sensitive information such as cookies or credentials, unauthorized actions performed on behalf of users, and potential site defacement. While availability is not directly impacted, the reputational damage and potential data breaches can have significant operational and financial consequences. Organizations relying on the Weaver Xtreme Theme Support plugin for their WordPress sites, especially those with multiple contributors, face increased risk of insider threat exploitation or compromised contributor accounts. The vulnerability's ease of exploitation (low complexity) combined with the broad scope of affected systems worldwide amplifies the threat. Attackers do not require user interaction beyond visiting the infected page, increasing the likelihood of successful attacks once the vulnerability is exploited.

To mitigate CVE-2024-4939, organizations should immediately restrict contributor-level access to trusted users only, minimizing the risk of malicious script injection. Site administrators should monitor and audit content created or edited via the div shortcode for suspicious or unexpected scripts. Until an official patch is released, consider disabling or removing the Weaver Xtreme Theme Support plugin if feasible. Employ Web Application Firewalls (WAFs) with custom rules to detect and block malicious payloads targeting the vulnerable shortcode attributes. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on the site. Regularly back up site content and databases to enable quick restoration if compromise occurs. Educate contributors about safe content creation practices and the risks of injecting untrusted code. Once a patch becomes available, apply it promptly. Additionally, consider using security plugins that scan for XSS vulnerabilities and monitor for anomalous behavior on WordPress sites.