CVE-2024-5902 is a stored cross-site scripting vulnerability classified under CWE-79 that affects the WordPress plugin 'User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds' developed by smub. The vulnerability arises from insufficient sanitization and escaping of the 'name' parameter within feedback form responses. An unauthenticated attacker can submit crafted input containing malicious JavaScript code into the feedback forms. When a high-privileged user, such as an administrator, views these responses in the WordPress dashboard, the malicious script executes in their browser context. This can lead to theft of authentication cookies, session tokens, or execution of arbitrary actions with the victim's privileges. The vulnerability affects all versions up to 1.0.15, with no available patches at the time of disclosure. The CVSS v3.1 score is 7.2 (High), reflecting network attack vector, no required privileges or user interaction, and a scope change due to potential compromise of administrative accounts. Although no known exploits are in the wild, the ease of exploitation and the high privileges targeted make this a significant threat to WordPress sites using this plugin. The vulnerability highlights the critical need for proper input validation and output encoding in web applications, especially those handling user-generated content.

The impact of CVE-2024-5902 is significant for organizations using the affected WordPress plugin. Successful exploitation allows unauthenticated attackers to execute arbitrary scripts in the context of high-privileged users, typically site administrators. This can lead to credential theft, session hijacking, unauthorized administrative actions, and potential full site compromise. The compromise of administrative accounts can further enable attackers to install backdoors, modify site content, or pivot to other internal systems. Since WordPress powers a large portion of websites globally, including e-commerce, government, and enterprise sites, the vulnerability poses a broad risk. The lack of required authentication and user interaction lowers the barrier for attackers, increasing the likelihood of exploitation. Organizations that do not promptly address this vulnerability risk data breaches, reputational damage, and operational disruption.

To mitigate CVE-2024-5902, organizations should immediately update the 'User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds' plugin to a patched version once available. In the absence of an official patch, administrators should consider disabling or uninstalling the plugin to eliminate exposure. Implementing web application firewalls (WAFs) with custom rules to detect and block malicious payloads targeting the 'name' parameter can provide temporary protection. Administrators should also review and sanitize existing feedback entries to remove any injected scripts. Enforcing the principle of least privilege by limiting administrative access and using multi-factor authentication can reduce the impact of potential exploitation. Regular security audits and monitoring for unusual administrative activity are recommended. Finally, educating site administrators about the risks of XSS and safe handling of user-generated content can help prevent exploitation.