CVE-2024-5252 identifies a stored cross-site scripting (XSS) vulnerability in the Ultimate Addons for WPBakery plugin for WordPress, specifically in the ultimate_info_table shortcode. This vulnerability is due to improper neutralization of user-supplied input during web page generation, classified under CWE-79. The plugin fails to adequately sanitize and escape attributes provided by users, which allows authenticated users with contributor-level access or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing actions on behalf of the victim. The vulnerability affects all versions up to and including 3.19.20. Exploitation requires authentication but no user interaction beyond viewing the infected page. The CVSS 3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, privileges required, no user interaction, and partial confidentiality and integrity impact. No public exploits are currently known. The vulnerability highlights the risk posed by insufficient input validation in widely used WordPress plugins, especially those that allow content creation by lower-privileged users. The stored nature of the XSS increases risk since malicious code persists and affects multiple users.

The impact of CVE-2024-5252 is significant for organizations using the Ultimate Addons for WPBakery plugin on WordPress sites, particularly those allowing contributor-level users to add or edit content. Successful exploitation can lead to session hijacking, unauthorized actions performed in the context of other users, defacement, or distribution of malware through the injected scripts. This can damage organizational reputation, lead to data breaches, and compromise user trust. Since WordPress powers a large portion of websites globally, including many corporate, media, and e-commerce sites, the vulnerability could be leveraged to target high-value sites with contributor access granted to multiple users. The requirement for authentication limits exploitation to insiders or compromised accounts, but the lack of user interaction needed and the stored nature of the XSS increase the attack surface. Organizations with large editorial teams or user-generated content are at heightened risk. Additionally, attackers could use this vulnerability as a foothold for further attacks within the network or to pivot to other systems.

To mitigate CVE-2024-5252, organizations should: 1) Immediately update the Ultimate Addons for WPBakery plugin to a patched version once released by Brainstorm Force. In the absence of a patch, consider disabling or removing the plugin temporarily. 2) Restrict contributor-level permissions to trusted users only and review user roles to minimize unnecessary privileges. 3) Implement strict input validation and output encoding on all user-supplied data, especially in shortcodes and content-generating components. 4) Employ Web Application Firewalls (WAFs) with rules to detect and block common XSS payloads targeting this plugin. 5) Monitor logs and website content for suspicious script injections or unauthorized changes. 6) Educate content creators and administrators about the risks of XSS and safe content practices. 7) Consider deploying Content Security Policy (CSP) headers to reduce the impact of injected scripts. 8) Regularly audit plugins and themes for vulnerabilities and maintain an up-to-date inventory of WordPress components.