CVE-2024-5255 is a stored cross-site scripting (XSS) vulnerability identified in the Ultimate Addons for WPBakery plugin for WordPress, specifically in the ultimate_dual_color shortcode. This vulnerability exists due to insufficient sanitization and escaping of user-supplied attributes before rendering them on web pages. Authenticated attackers with contributor-level or higher privileges can exploit this flaw by injecting arbitrary JavaScript code into pages or posts. When other users visit these compromised pages, the injected scripts execute in their browsers, potentially allowing attackers to steal session cookies, perform actions on behalf of users, or deliver further malicious payloads. The vulnerability affects all plugin versions up to and including 3.19.20. The CVSS 3.1 base score is 6.4, reflecting a medium severity level, with an attack vector over the network, low attack complexity, requiring privileges (PR:L), no user interaction, and a scope change (S:C) indicating impact beyond the vulnerable component. Confidentiality and integrity are impacted, but availability is not. No known public exploits have been reported yet. The vulnerability was publicly disclosed on July 17, 2024, and no official patches have been linked in the provided data. The flaw stems from a common web application security issue classified under CWE-79 (Improper Neutralization of Input During Web Page Generation).

The primary impact of this vulnerability is the potential for attackers to execute arbitrary JavaScript in the context of affected websites, leading to session hijacking, unauthorized actions, defacement, or distribution of malware. Since the vulnerability requires contributor-level access, attackers must first compromise or gain such privileges, which may be feasible on sites with weak user management or social engineering. The scope change in the CVSS vector indicates that the vulnerability can affect components beyond the plugin itself, potentially compromising the entire site or user base. For organizations relying on WordPress with this plugin, especially those with multiple content contributors, the risk includes data leakage, loss of user trust, and reputational damage. Although no known exploits are currently in the wild, the widespread use of WordPress and the plugin increases the likelihood of future exploitation attempts. The vulnerability does not impact availability, so denial-of-service is not a concern here. However, the confidentiality and integrity of user data and site content are at risk.

Organizations should immediately audit their WordPress installations to identify the presence and version of the Ultimate Addons for WPBakery plugin. If possible, upgrade to a patched version once available from Brainstorm Force. In the absence of an official patch, administrators should restrict contributor-level access to trusted users only and implement strict content moderation workflows to review and sanitize user-generated content before publishing. Employing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious script injections in shortcode attributes can provide interim protection. Additionally, enabling Content Security Policy (CSP) headers can help mitigate the impact of XSS by restricting script execution sources. Regularly scanning the site for injected scripts or anomalous content is recommended. Educating content contributors about safe input practices and monitoring user activity logs for unusual behavior can further reduce risk. Finally, ensure that all other WordPress components and plugins are kept up to date to minimize the attack surface.