CVE-2024-6480 identifies a stored cross-site scripting vulnerability in the SIP Reviews Shortcode for WooCommerce WordPress plugin, specifically via the 'no_of_reviews' attribute in the woocommerce_reviews shortcode. The root cause is insufficient input sanitization and output escaping of user-supplied attributes, allowing authenticated users with contributor-level or higher privileges to inject arbitrary JavaScript code into pages. When other users access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress environment. The vulnerability is categorized under CWE-89 due to improper neutralization of special elements in SQL commands, indicating that the injection vector may also facilitate SQL injection attacks, although the primary impact described is stored XSS. The CVSS 3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, required privileges, no user interaction, and partial confidentiality and integrity impact with no availability impact. No patches or known exploits are currently available, but the vulnerability affects all versions up to 1.2.3 of the plugin. The vulnerability was published on October 31, 2024, and assigned by Wordfence. This threat is significant for WordPress sites using WooCommerce with the vulnerable plugin installed, especially those allowing contributor-level user roles to interact with shortcodes.

The primary impact of CVE-2024-6480 is the potential for stored cross-site scripting attacks, which can lead to session hijacking, unauthorized actions, and privilege escalation within affected WordPress sites. Attackers with contributor-level access can inject malicious scripts that execute in the context of other users, including administrators, potentially compromising site integrity and confidentiality. This can result in data theft, defacement, or unauthorized administrative control. The vulnerability does not affect availability directly but can undermine trust and lead to reputational damage. Organizations relying on WooCommerce and the SIP Reviews Shortcode plugin are at risk, especially e-commerce sites where customer data and transactions are critical. The attack requires authenticated access, limiting exposure to internal or registered users, but the widespread use of WordPress and WooCommerce globally increases the potential attack surface. Without mitigation, attackers could leverage this vulnerability to pivot further into the network or conduct phishing campaigns using compromised sites.

To mitigate CVE-2024-6480, organizations should immediately update the SIP Reviews Shortcode for WooCommerce plugin to a patched version once available. Until a patch is released, restrict contributor-level and higher user roles from accessing or modifying shortcodes that include the 'no_of_reviews' attribute. Implement strict input validation and output escaping at the application level for all user-supplied shortcode attributes. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the vulnerable shortcode. Conduct regular audits of user roles and permissions to minimize unnecessary contributor-level access. Monitor logs for unusual shortcode modifications or script injections. Educate site administrators and contributors about the risks of injecting untrusted content. Consider disabling the vulnerable shortcode functionality if it is not essential. Finally, maintain up-to-date backups to enable recovery in case of compromise.