CVE-2024-6391 is a stored cross-site scripting (XSS) vulnerability identified in the oik plugin for WordPress, specifically within the bw_button shortcode functionality. This vulnerability exists in all versions up to and including 4.10.3 due to improper neutralization of input during web page generation, classified under CWE-79. The root cause is insufficient sanitization and output escaping of user-supplied attributes, which allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions performed on behalf of the victim. The vulnerability does not require user interaction beyond viewing the compromised page but does require the attacker to have authenticated access with contributor or higher privileges, limiting exploitation to insiders or compromised accounts. The CVSS v3.1 base score is 6.4, reflecting medium severity, with attack vector network (remote), low attack complexity, privileges required (low), no user interaction, and scope changed due to impact on other users. No public exploits have been reported yet, but the vulnerability poses a risk to WordPress sites using the oik plugin, especially those with multiple contributors or editors. The vulnerability highlights the importance of proper input validation and output encoding in plugin development to prevent stored XSS attacks.

The primary impact of CVE-2024-6391 is the compromise of confidentiality and integrity for users interacting with affected WordPress sites. An attacker with contributor-level access can inject malicious scripts that execute in the browsers of other users, potentially stealing session cookies, performing actions on behalf of users, or defacing content. This can lead to unauthorized access escalation, data leakage, or reputational damage for organizations. Although availability is not directly affected, the indirect consequences of trust erosion and potential regulatory non-compliance can be significant. Organizations with multiple contributors or editors are at higher risk, as the attacker must have authenticated access to exploit the vulnerability. The vulnerability could be leveraged in targeted attacks against organizations relying on the oik plugin, especially those with sensitive user data or high traffic. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once the vulnerability is public. Overall, the vulnerability presents a moderate risk that requires timely remediation to prevent exploitation.

To mitigate CVE-2024-6391, organizations should first update the oik plugin to a version that addresses this vulnerability once released by the vendor. Until a patch is available, administrators should restrict contributor-level access to trusted users only and audit existing contributor accounts for suspicious activity. Implementing a Web Application Firewall (WAF) with rules to detect and block common XSS payloads targeting the bw_button shortcode can provide temporary protection. Site administrators should also enable Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Regularly scanning the website for injected scripts or unusual content in pages using the bw_button shortcode can help detect exploitation attempts. Additionally, educating contributors about secure content practices and monitoring logs for anomalous behavior will reduce risk. Finally, plugin developers should review and improve input validation and output encoding practices to prevent similar vulnerabilities in future releases.