CVE-2024-5192 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Funnel Builder for WordPress by FunnelKit plugin, which customizes WooCommerce checkout pages and creates sales funnels. The vulnerability exists due to improper neutralization of input during web page generation, specifically via the 'mimes' parameter. This parameter is insufficiently sanitized and escaped before being rendered, allowing authenticated users with Author-level access or higher to inject arbitrary JavaScript code into pages. Because the malicious script is stored, it executes every time the infected page is viewed by any user, potentially compromising session tokens, redirecting users to malicious sites, or performing unauthorized actions on behalf of users. The vulnerability affects all versions up to and including 3.3.1. The CVSS 3.1 base score is 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, privileges required at the Author level, no user interaction needed, and a scope change. The vulnerability impacts confidentiality and integrity but not availability. No public exploits have been reported yet, but the risk is significant given the plugin’s role in e-commerce workflows. The flaw is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability was published on June 29, 2024, and assigned by Wordfence. No official patches were linked at the time of reporting, indicating the need for immediate attention by site administrators.

The impact of CVE-2024-5192 is primarily on the confidentiality and integrity of affected WordPress sites using the Funnel Builder plugin. Successful exploitation allows attackers with Author-level privileges to inject persistent malicious scripts, which can lead to session hijacking, theft of sensitive user data, unauthorized actions on behalf of users, and potential privilege escalation. For e-commerce sites, this can result in fraudulent transactions, customer data compromise, and reputational damage. Since the injected scripts execute in the context of any user visiting the infected page, including administrators and customers, the scope of impact can be broad. The vulnerability does not affect availability directly but can indirectly cause service disruptions due to incident response or loss of customer trust. Organizations relying on WooCommerce and FunnelKit for checkout customization and sales funnels are at particular risk, especially if they allow multiple authors or contributors with elevated privileges. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, as attackers could develop exploits rapidly once details are public. Overall, the vulnerability poses a moderate risk to organizations worldwide, especially those with active WordPress e-commerce deployments.

1. Immediately restrict Author-level and higher privileges to trusted users only, minimizing the risk of malicious script injection. 2. Monitor and audit user inputs, especially those related to the 'mimes' parameter or any custom fields exposed by the Funnel Builder plugin. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious script injection attempts targeting this parameter. 4. Until an official patch is released, consider disabling or limiting the use of the Funnel Builder plugin features that accept user input or custom parameters. 5. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected pages. 6. Regularly scan the website for injected scripts or anomalies in page content, focusing on pages generated by the Funnel Builder plugin. 7. Educate site administrators and content creators about the risks of XSS and the importance of input validation. 8. Once available, promptly apply official patches or updates from the vendor addressing this vulnerability. 9. Review and harden user role assignments and permissions to follow the principle of least privilege. 10. Backup site data regularly to enable recovery in case of compromise.