CVE-2024-5427 is a stored cross-site scripting vulnerability classified under CWE-79, found in the WPCafe plugin for WordPress, which provides online food ordering, restaurant menu, delivery, and reservation functionalities integrated with WooCommerce. The vulnerability exists in the plugin's Reservation Form shortcode, where user-supplied attributes are not properly sanitized or escaped before being rendered on web pages. This flaw allows authenticated attackers with contributor-level or higher privileges to inject arbitrary JavaScript code into pages. When other users access these pages, the malicious scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing unauthorized actions on their behalf. The vulnerability affects all versions up to and including 2.2.24. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, required privileges (low), no user interaction, and a scope change with limited confidentiality and integrity impact but no availability impact. No public exploits have been reported yet, but the vulnerability's presence in a widely used WordPress plugin integrated with e-commerce platforms makes it a significant concern. The issue stems from inadequate input validation and output encoding, which are fundamental security best practices for web applications.

The exploitation of CVE-2024-5427 can lead to the execution of arbitrary JavaScript in the context of affected websites, enabling attackers to hijack user sessions, steal sensitive information such as authentication cookies, perform actions on behalf of users, or deface web content. For organizations relying on WPCafe for online food ordering and reservations, this can result in loss of customer trust, data breaches, and potential financial losses. Since the attack requires authenticated access at contributor level or higher, insider threats or compromised accounts pose a significant risk. The scope includes all users who visit the injected pages, potentially amplifying the impact. Although availability is not affected, the confidentiality and integrity of user data and site content are at risk. The vulnerability could be leveraged as a foothold for further attacks, including privilege escalation or malware distribution. The absence of known exploits in the wild currently limits immediate widespread impact, but the medium severity score and the plugin's popularity warrant proactive mitigation.

Organizations should immediately update the WPCafe plugin to a version that addresses this vulnerability once available from the vendor. Until a patch is released, administrators should restrict contributor-level access to trusted users only and audit existing user privileges to minimize risk. Implementing a Web Application Firewall (WAF) with rules to detect and block suspicious input patterns related to script injection can provide interim protection. Site owners should also review and sanitize all user-generated content, especially in reservation forms, using server-side validation and output encoding libraries compliant with OWASP guidelines. Regularly monitoring logs for unusual activity and scanning for injected scripts can help detect exploitation attempts. Employing Content Security Policy (CSP) headers can reduce the impact of XSS by restricting script execution sources. Finally, educating users about the risks of phishing and social engineering can help prevent account compromise that might lead to exploitation.