CVE-2024-6478 is a medium-severity vulnerability classified as a Stored Cross-Site Scripting (XSS) issue affecting the WordPress plugin 'CTT Expresso para WooCommerce' in versions prior to 3.2.13. The vulnerability arises because the plugin fails to properly sanitize and escape certain settings inputs. This flaw allows users with high privileges, such as administrators, to inject malicious scripts that are stored persistently within the plugin's settings. Notably, this vulnerability can be exploited even when the WordPress 'unfiltered_html' capability is disabled, such as in multisite environments, which typically restricts the ability to post unfiltered HTML. The CVSS 3.1 base score is 4.8, reflecting a medium severity level, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring high privileges (PR:H), user interaction required (UI:R), scope changed (S:C), and limited impact on confidentiality and integrity (C:L/I:L) but no impact on availability (A:N). The vulnerability could allow an attacker with admin access to execute arbitrary JavaScript in the context of other users’ browsers, potentially leading to session hijacking, privilege escalation, or other malicious activities within the affected WordPress site. No public exploits are currently known in the wild, and no official patches or updates have been linked yet. The vulnerability was reserved in July 2024 and published in May 2025 by WPScan.

For European organizations using WooCommerce with the CTT Expresso plugin, this vulnerability poses a risk primarily in environments where multiple administrators or high-privilege users have access to the WordPress backend. Exploitation could lead to persistent XSS attacks that compromise the integrity and confidentiality of user sessions, potentially allowing attackers to hijack admin accounts or perform unauthorized actions. This is particularly concerning for e-commerce sites handling sensitive customer data and payment information. The impact is heightened in multisite WordPress setups common in larger organizations or agencies managing multiple client sites, where the usual restrictions on unfiltered HTML are bypassed by this vulnerability. While availability is not directly affected, the reputational damage and potential data breaches could have significant regulatory and financial consequences under GDPR and other European data protection laws.

Organizations should immediately verify if they are using the CTT Expresso para WooCommerce plugin and confirm the version. Since no official patch link is provided, administrators should consider the following specific mitigations: 1) Restrict administrative access strictly to trusted personnel and review user privileges to minimize the number of high-privilege users. 2) Implement Web Application Firewall (WAF) rules to detect and block suspicious script injections targeting plugin settings. 3) Conduct manual code reviews or apply custom sanitization filters on plugin settings inputs if feasible. 4) Monitor logs for unusual admin activity or unexpected changes in plugin settings. 5) Consider temporarily disabling or replacing the plugin until an official patch is released. 6) Educate administrators about the risks of stored XSS and safe content input practices. 7) Regularly back up WordPress sites to enable quick restoration if compromise occurs.