CVE-2024-5669 is a vulnerability classified under CWE-862 (Missing Authorization) found in the XPlainer – WooCommerce Product FAQ plugin, also known as WooCommerce Accordion FAQ Plugin, for WordPress. The flaw exists in all versions up to and including 1.6.4 due to the absence of a capability check in the 'ffw_activate_template' function. This function can be invoked by authenticated users with Subscriber-level privileges or higher, enabling them to store malicious cross-site scripting (XSS) payloads within the plugin's dashboard templates or FAQ content. When these templates or FAQs are viewed by administrators or other users with higher privileges, the stored XSS payload executes in their browsers. The vulnerability allows attackers to compromise confidentiality by stealing session cookies or sensitive data and integrity by modifying displayed content or performing unauthorized actions within the WordPress admin interface. The CVSS 3.1 base score is 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges (PR:L), no user interaction, and scope change (S:C). Although no known exploits are reported in the wild, the vulnerability's presence in a popular WooCommerce plugin makes it a significant risk for e-commerce sites using WordPress. The lack of a patch link indicates that users must monitor vendor updates or apply manual mitigations. The vulnerability does not affect availability directly but can facilitate further attacks if exploited.

The vulnerability enables attackers with minimal privileges (Subscriber-level) to inject persistent XSS payloads that execute in the context of higher-privileged users, such as administrators. This can lead to session hijacking, credential theft, unauthorized content modification, and potential privilege escalation within WordPress environments. For organizations running WooCommerce stores, this can result in compromised customer data, defacement of product FAQs, and loss of trust. Since WooCommerce is widely used in e-commerce, exploitation could disrupt business operations and damage brand reputation. The scope change in the CVSS vector indicates that the attack can affect components beyond the initially compromised user, amplifying the impact. Although availability is not directly impacted, the confidentiality and integrity breaches can have severe downstream effects, including compliance violations and financial losses.

1. Immediately update the XPlainer – WooCommerce Product FAQ plugin to a patched version once available from the vendor. 2. Until a patch is released, restrict Subscriber-level users from accessing or interacting with the vulnerable 'ffw_activate_template' functionality by applying custom capability checks or role restrictions via WordPress hooks or security plugins. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious payloads targeting the plugin's endpoints. 4. Conduct regular security audits of installed plugins, focusing on authorization checks and input sanitization. 5. Educate administrators to monitor dashboard templates and FAQs for unexpected or suspicious content. 6. Employ Content Security Policy (CSP) headers to mitigate the impact of stored XSS by restricting script execution sources. 7. Limit the number of users with Subscriber-level access and review user roles periodically to minimize attack surface. 8. Monitor WordPress logs for unusual activity related to the plugin's functions. These steps provide layered defense until an official patch is applied.