CVE-2024-6225 is a stored cross-site scripting vulnerability identified in the Amelia Booking for Appointments and Events Calendar WordPress plugin, affecting all versions up to 1.1.5 and 7.5.1 for the Pro version. The vulnerability stems from improper neutralization of input during web page generation (CWE-79), specifically in the plugin's admin settings interface. Due to insufficient input sanitization and lack of proper output escaping, authenticated users with administrator-level permissions or higher can inject arbitrary JavaScript code into pages. These malicious scripts execute whenever a user accesses the compromised page, potentially leading to session hijacking, defacement, or other client-side attacks. The vulnerability is constrained to multi-site WordPress installations or those where the unfiltered_html capability is disabled, limiting its scope. Exploitation requires authenticated high-privilege access, no user interaction is needed once the script is injected, and the vulnerability affects confidentiality and integrity but not availability. The CVSS 3.1 base score is 4.4, indicating medium severity, with attack vector network, attack complexity high, privileges required high, no user interaction, and scope changed. No public exploits are known at this time, but the vulnerability poses a risk to organizations using this plugin in the specified configurations.

The primary impact of CVE-2024-6225 is the potential for authenticated administrators to inject malicious scripts that execute in the context of other users accessing affected pages. This can lead to theft of session cookies, unauthorized actions performed on behalf of users, or defacement of administrative interfaces. While the vulnerability requires high privileges to exploit, it can facilitate privilege escalation or lateral movement if an attacker compromises an administrator account. The impact on confidentiality and integrity is limited but significant in environments where sensitive data or administrative controls are accessible. Availability is not affected. Organizations running multi-site WordPress installations with the Amelia plugin are at higher risk, especially if unfiltered_html is disabled, as this setting restricts HTML filtering and enables the vulnerability. The absence of known exploits reduces immediate risk, but the medium severity score suggests that attackers with administrative access could leverage this vulnerability to compromise site integrity and user trust.

To mitigate CVE-2024-6225, organizations should first update the Amelia Booking plugin to a version where this vulnerability is patched once available. Until patches are released, administrators should restrict access to the WordPress admin interface to trusted personnel only and monitor for suspicious administrator account activity. Enabling strict input validation and output escaping in custom plugin configurations can reduce risk. For multi-site installations, consider disabling or limiting multi-site features if not required. Review and adjust the unfiltered_html capability settings carefully, as enabling unfiltered_html for administrators may reduce exposure. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious script injection attempts in admin settings. Regularly audit plugin configurations and user permissions to ensure no unauthorized changes occur. Finally, maintain comprehensive logging and monitoring to detect potential exploitation attempts early.