CVE-2024-5571 is a stored cross-site scripting vulnerability classified under CWE-79, found in the EmbedPress WordPress plugin, which enables embedding of PDFs, Google Docs, videos, audios, maps, and other documents within Gutenberg and Elementor editors. The vulnerability exists due to insufficient input sanitization and output escaping of the 'url' attribute in the EmbedPress PDF widget. This allows authenticated users with contributor-level access or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the malicious scripts execute in their browsers, potentially compromising session tokens, cookies, or performing unauthorized actions on behalf of the victim. The vulnerability affects all versions up to and including 4.0.1. The attack vector is remote over the network, with low complexity and no user interaction required beyond authentication. The scope is confined to the affected WordPress sites using this plugin, but the impact can be significant due to the stored nature of the XSS, enabling persistent attacks. The CVSS 3.1 score of 6.4 reflects a medium severity with partial confidentiality and integrity impacts but no availability impact. No public exploits have been reported yet, but the vulnerability is publicly disclosed, increasing the risk of future exploitation.

The primary impact of CVE-2024-5571 is the potential compromise of user sessions and site integrity through persistent cross-site scripting attacks. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of site visitors or administrators, leading to theft of authentication cookies, defacement, or unauthorized actions such as content manipulation or privilege escalation attempts. This can erode user trust, damage brand reputation, and lead to data breaches. Since the vulnerability requires authenticated access, the risk is higher in environments with many contributors or weak internal access controls. The stored nature of the XSS means the malicious payload persists until removed, increasing exposure. Although availability is not impacted, confidentiality and integrity are at risk. Organizations running WordPress sites with this plugin, especially those with multiple contributors or public-facing content, face increased risk of targeted attacks and potential compromise.

To mitigate CVE-2024-5571, organizations should immediately update the EmbedPress plugin to a version where this vulnerability is patched once available. Until a patch is released, administrators should restrict contributor-level access to trusted users only and audit existing embedded content for suspicious scripts or URLs. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injections targeting the 'url' attribute can reduce risk. Additionally, applying Content Security Policy (CSP) headers to restrict execution of unauthorized scripts can mitigate impact. Regularly scanning WordPress sites with security plugins that detect XSS payloads and monitoring logs for unusual contributor activity are recommended. Educating contributors about safe content embedding practices and enforcing strong authentication and access controls further reduce exploitation likelihood. Finally, ensure backups are maintained to restore clean site states if compromise occurs.