CVE-2024-5667 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79 affecting the WP Featherlight – A Simple jQuery Lightbox WordPress plugin developed by cipherdevgroup. The vulnerability exists in the bundled Featherlight.js JavaScript library versions 1.7.13 to 1.7.14, which are included in various versions of the plugin. The root cause is insufficient sanitization and escaping of user-supplied input attributes during web page generation, allowing malicious scripts to be stored persistently within the website content. An attacker with authenticated contributor-level privileges or higher can exploit this flaw by injecting arbitrary JavaScript code into pages or posts. When other users access these compromised pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or data theft. The vulnerability does not require user interaction beyond viewing the infected page, and the attack complexity is low since the attacker only needs contributor access. The CVSS v3.1 base score is 6.4, indicating a medium severity with network attack vector, low complexity, privileges required, no user interaction, and a scope change due to impact on other users. No public exploits or patches are currently reported, but the vulnerability is publicly disclosed and should be addressed promptly. This issue affects all versions of the plugin that bundle the vulnerable Featherlight.js versions, which are widely used in WordPress sites for lightbox functionality.

The impact of CVE-2024-5667 is significant for organizations running WordPress sites with the vulnerable WP Featherlight plugin. Successful exploitation allows attackers with contributor-level access to inject persistent malicious scripts, which execute in the browsers of site visitors and administrators. This can lead to theft of authentication cookies, enabling account takeover and privilege escalation. Attackers may also manipulate site content, deface pages, or redirect users to malicious sites. The confidentiality and integrity of the website and its users’ data are at risk, although availability is not directly affected. Since contributor-level access is required, the threat is primarily from insider threats or compromised accounts. However, given the widespread use of WordPress and the plugin, the vulnerability could be leveraged in targeted attacks against organizations with valuable web assets, including e-commerce, media, and government sites. The scope of impact extends beyond the initial compromised account to all users who view the infected pages, increasing the potential damage.

To mitigate CVE-2024-5667, organizations should first check if their WordPress installations use the WP Featherlight plugin and identify the version of the bundled Featherlight.js library. Since no official patch is currently available, immediate mitigation steps include: 1) Restrict contributor-level access strictly to trusted users and audit existing user privileges to minimize risk. 2) Implement a Web Application Firewall (WAF) with rules to detect and block common XSS payloads targeting the plugin’s input fields. 3) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected pages. 4) Sanitize and validate all user inputs on the server side, especially those related to the plugin’s functionality, using custom code or security plugins that enforce strict input validation. 5) Monitor logs and site content for suspicious script injections or unexpected changes. 6) Stay updated with vendor announcements for official patches or plugin updates addressing this vulnerability and apply them promptly once available. 7) Consider temporarily disabling or replacing the WP Featherlight plugin with alternative lightbox solutions that do not have this vulnerability.