CVE-2024-5664 is a stored cross-site scripting vulnerability identified in the Sonaar MP3 Audio Player – Music Player, Podcast Player & Radio plugin for WordPress, affecting all versions up to and including 5.5. The vulnerability stems from insufficient input sanitization and output escaping of the 'id' attribute within the plugin’s sonaar_audioplayer shortcode. Authenticated users with contributor-level privileges or higher can exploit this flaw by injecting arbitrary JavaScript code into the 'id' attribute, which is then stored and rendered on pages viewed by other users. This persistent XSS flaw allows attackers to execute scripts in the context of the victim’s browser without requiring user interaction. The CVSS 3.1 score of 6.4 reflects a medium severity, with the vector indicating network attack vector, low attack complexity, privileges required, no user interaction, and a scope change. The vulnerability impacts confidentiality and integrity by enabling session hijacking, credential theft, or unauthorized actions performed on behalf of victims. Although no public exploits are currently known, the vulnerability poses a significant risk due to the plugin’s popularity and the common use of contributor-level accounts in WordPress environments. The lack of available patches at the time of publication necessitates immediate mitigation steps to reduce exposure.

The exploitation of this stored XSS vulnerability can lead to several adverse impacts on affected organizations. Attackers can hijack user sessions, steal sensitive information such as authentication tokens or cookies, and perform unauthorized actions within the context of the victim’s privileges. This can result in website defacement, data leakage, or the spread of malware through injected scripts. Since the vulnerability requires contributor-level access, attackers who have compromised or obtained such accounts can escalate their foothold and potentially pivot to higher privilege accounts. The scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the initially compromised component, potentially impacting the entire WordPress site. Organizations relying on this plugin for media playback and content delivery may face reputational damage, loss of user trust, and compliance issues if exploited. The risk is heightened in environments where contributor accounts are widely used or where user input is not tightly controlled.

To mitigate CVE-2024-5664, organizations should immediately restrict contributor-level account creation and review existing contributor accounts for suspicious activity. Implement strict input validation and output encoding on all user-supplied data, especially shortcode attributes, to prevent script injection. Until an official patch is released, consider disabling or removing the Sonaar MP3 Audio Player plugin if feasible. Employ Web Application Firewalls (WAFs) with custom rules to detect and block malicious payloads targeting the 'id' attribute in the sonaar_audioplayer shortcode. Conduct regular security audits and penetration testing focused on XSS vulnerabilities in WordPress plugins. Educate content contributors about safe content practices and monitor logs for unusual shortcode usage patterns. Additionally, isolate WordPress administrative interfaces behind VPNs or IP allowlists to reduce the risk of unauthorized access. Once a patch is available, prioritize prompt application and verify the fix through testing.