CVE-2024-4942 is a stored cross-site scripting (XSS) vulnerability identified in the Custom Dash plugin for WordPress, developed by dextorlobo. This vulnerability exists in all versions up to and including 1.0.2 due to insufficient sanitization of input and inadequate output escaping in the plugin's admin settings interface. Specifically, the flaw allows authenticated users with administrator-level permissions or higher to inject arbitrary JavaScript code into pages generated by the plugin. These malicious scripts are stored persistently and execute whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or other malicious activities. The vulnerability is constrained to multi-site WordPress installations or single-site setups where the unfiltered_html capability is disabled, limiting the attack surface. The CVSS 3.1 base score of 4.4 reflects a medium severity rating, driven by the requirement for high privileges (administrator access), high attack complexity, and no user interaction needed for exploitation. The vulnerability affects confidentiality and integrity but does not impact availability. No patches or known exploits have been reported at the time of publication. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation, a common cause of XSS issues. This vulnerability underscores the importance of proper input validation and output encoding in WordPress plugins, especially those managing administrative interfaces and multi-site environments.

The impact of CVE-2024-4942 is primarily on the confidentiality and integrity of affected WordPress multi-site installations using the Custom Dash plugin. An attacker with administrator-level access can inject malicious scripts that execute in the context of other users visiting the injected pages. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, or the spread of malware. Although the vulnerability does not directly affect availability, the compromise of administrative accounts or user sessions can lead to broader security incidents, including defacement or data leakage. The requirement for administrator privileges limits the risk to insider threats or attackers who have already compromised an admin account, but the multi-site context increases the potential reach of the attack across multiple sites managed under one WordPress installation. Organizations relying on this plugin in multi-site configurations face increased risk of internal compromise and lateral movement within their web infrastructure. The absence of known exploits in the wild reduces immediate risk but does not eliminate the potential for future attacks, especially as exploit code may be developed once the vulnerability becomes widely known.

To mitigate CVE-2024-4942, organizations should first verify if they are running the Custom Dash plugin version 1.0.2 or earlier in a multi-site WordPress environment or with unfiltered_html disabled. Since no official patch is currently available, administrators should consider the following specific actions: 1) Restrict administrator-level access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA). 2) Temporarily disable or uninstall the Custom Dash plugin if it is not essential, especially in multi-site setups. 3) Implement Web Application Firewall (WAF) rules to detect and block suspicious script injection attempts targeting the plugin’s admin settings. 4) Monitor logs and audit admin activities for unusual behavior that might indicate exploitation attempts. 5) Educate administrators about the risks of stored XSS and the importance of cautious input handling. 6) Regularly review and update WordPress core, plugins, and themes to incorporate security fixes once available. 7) Consider isolating multi-site installations or limiting the use of unfiltered_html capability to reduce attack surface. These targeted mitigations go beyond generic advice by focusing on access control, monitoring, and temporary plugin management until a vendor patch is released.