CVE-2024-6011 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the Cost Calculator Builder plugin for WordPress developed by stylemix. This vulnerability exists in all versions up to and including 3.2.12 due to improper neutralization of input during web page generation. Specifically, the ‘textarea.description’ parameter does not undergo sufficient input sanitization or output escaping, allowing malicious JavaScript code to be stored persistently within the plugin's data. An attacker with Administrator-level access or higher privileges can exploit this flaw by injecting arbitrary scripts into the description field. These scripts are then executed in the context of any user who views the affected page, potentially leading to theft of session cookies, defacement, or further compromise of the site. The vulnerability requires authenticated access with high privileges, no user interaction is needed for the payload to execute once injected, and the scope is limited to sites using this plugin. The CVSS v3.1 base score is 4.4 (medium severity), reflecting network attack vector, high attack complexity, high privileges required, no user interaction, and partial confidentiality and integrity impact. No public exploit code or active exploitation has been reported to date. The vulnerability was published on July 2, 2024, and is assigned by Wordfence. No official patch links are currently provided, indicating that users must monitor vendor updates or apply manual mitigations.

The primary impact of CVE-2024-6011 is the potential for stored XSS attacks on WordPress sites using the vulnerable Cost Calculator Builder plugin. Successful exploitation can lead to the execution of arbitrary JavaScript in the browsers of users visiting the compromised pages. This can result in session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, or the injection of further malicious payloads such as malware or phishing content. Although exploitation requires administrator-level access, the risk remains significant because compromised administrator accounts or insider threats could leverage this vulnerability to escalate attacks. The integrity and confidentiality of site data and user sessions are at risk, while availability is not directly impacted. Organizations with high-value WordPress sites, especially those relying on this plugin for business operations, face reputational damage, data breaches, and potential regulatory consequences if exploited. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, emphasizing the need for proactive mitigation.

1. Immediately restrict administrative access to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. 2. Monitor and audit administrator activities to detect suspicious modifications to plugin content, especially the ‘textarea.description’ fields. 3. Until an official patch is released, consider disabling or uninstalling the Cost Calculator Builder plugin if feasible, or restrict its use to trusted administrators only. 4. Implement Web Application Firewall (WAF) rules to detect and block suspicious script injection patterns targeting the vulnerable parameter. 5. Sanitize and escape all user inputs and outputs related to the plugin manually if custom development resources are available, applying strict Content Security Policy (CSP) headers to limit script execution. 6. Regularly update WordPress core, plugins, and themes to the latest versions once the vendor releases a patch addressing this vulnerability. 7. Educate administrators on the risks of stored XSS and safe content management practices. 8. Conduct periodic security assessments and penetration testing focusing on plugin vulnerabilities and privilege abuse scenarios.