CVE-2024-5628 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the Fusion Builder plugin developed by themefusion for WordPress websites. The vulnerability specifically targets the fusion_button shortcode, which improperly neutralizes user input during web page generation. This flaw exists in all versions up to and including 3.11.9, due to inadequate sanitization and escaping of user-supplied attributes. Authenticated attackers with contributor-level privileges or higher can exploit this vulnerability by injecting arbitrary JavaScript code into pages via the shortcode parameters. When other users visit these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the context of the victim’s session. The vulnerability was partially mitigated in version 3.11.9, but additional hardening against alternate attack vectors was implemented in version 3.11.10. The CVSS 3.1 base score of 6.4 reflects a medium severity, with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacts on confidentiality and integrity with no availability impact. No public exploits have been reported to date, but the vulnerability poses a significant risk to WordPress sites using the affected plugin versions.

The primary impact of CVE-2024-5628 is the potential compromise of confidentiality and integrity for websites using the vulnerable Fusion Builder plugin. Attackers with contributor-level access can inject persistent malicious scripts that execute in the browsers of site visitors or administrators, enabling session hijacking, theft of sensitive information, or unauthorized actions such as content manipulation or privilege escalation. This can lead to reputational damage, loss of user trust, and potential data breaches. Since the vulnerability requires authenticated access, the risk is somewhat mitigated by the need for an attacker to have contributor or higher privileges, but insider threats or compromised accounts increase the risk. The vulnerability does not impact availability directly but can facilitate further attacks that degrade service or lead to defacement. Organizations running WordPress sites with Fusion Builder, especially those with multiple contributors or less stringent access controls, face increased exposure. The partial fix in 3.11.9 and further hardening in 3.11.10 reduce but do not eliminate risk for sites not updated to the latest version.

To mitigate CVE-2024-5628, organizations should immediately update the Fusion Builder plugin to version 3.11.10 or later, which includes additional hardening against this XSS vulnerability. Until updates are applied, restrict contributor-level and higher privileges to trusted users only, and monitor user activities for suspicious behavior. Implement Web Application Firewall (WAF) rules to detect and block malicious payloads targeting the fusion_button shortcode parameters. Conduct regular security audits of WordPress user roles and permissions to minimize the risk of privilege abuse. Employ Content Security Policy (CSP) headers to limit the impact of injected scripts by restricting script sources and execution contexts. Additionally, sanitize and validate all user inputs on the server side beyond relying on plugin defaults. Educate site administrators and contributors about the risks of XSS and the importance of applying security updates promptly. Finally, maintain regular backups to enable recovery in case of compromise.