CVE-2024-5205 is a stored cross-site scripting (XSS) vulnerability identified in the Videojs HTML5 Player plugin for WordPress, developed by naa986. This vulnerability affects all plugin versions up to and including 1.1.11. The root cause is improper neutralization of input during web page generation (CWE-79), specifically due to insufficient sanitization and escaping of user-supplied attributes within the plugin's videojs_video shortcode. Authenticated attackers with contributor-level or higher privileges can exploit this flaw by injecting arbitrary JavaScript code into pages or posts. When other users access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the context of the affected site. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting a medium severity level. The attack vector is network-based, requiring only low complexity and no user interaction, but it does require the attacker to be authenticated with contributor or higher permissions. The scope is considered changed (S:C) because the vulnerability can affect other users beyond the attacker. Confidentiality and integrity impacts are partial, while availability is not affected. No known public exploits have been reported at this time, but the vulnerability poses a significant risk to WordPress sites using this plugin, especially those allowing contributor-level access to untrusted users.

The primary impact of CVE-2024-5205 is the potential for stored XSS attacks on WordPress sites using the vulnerable Videojs HTML5 Player plugin. Successful exploitation allows authenticated contributors or higher to inject malicious scripts that execute in the browsers of any user viewing the infected page. This can lead to theft of session cookies, enabling account takeover or privilege escalation. It may also facilitate defacement, unauthorized actions, or distribution of malware to site visitors. While availability is not impacted, the confidentiality and integrity of user data and site content are at risk. Organizations relying on this plugin, especially those with multiple contributors or less stringent access controls, face increased risk of compromise. The vulnerability could be leveraged in targeted attacks against high-value WordPress sites, including media, publishing, and corporate websites. The lack of public exploits currently limits widespread impact, but the medium severity score and ease of exploitation by authenticated users necessitate prompt remediation to prevent potential damage.

To mitigate CVE-2024-5205, organizations should immediately update the Videojs HTML5 Player plugin to a patched version once available. In the absence of an official patch, administrators should restrict contributor-level access to trusted users only and consider temporarily disabling or removing the plugin to eliminate the attack surface. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injections targeting the videojs_video shortcode parameters can provide interim protection. Site owners should audit existing content for injected scripts and remove any suspicious code. Additionally, enforcing strict Content Security Policy (CSP) headers can help limit the impact of injected scripts by restricting script sources. Regularly monitoring logs for unusual activity related to the plugin and educating contributors about safe content practices will further reduce risk. Finally, applying the principle of least privilege by limiting user roles and permissions reduces the likelihood of exploitation.