CVE-2024-6661 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the ParityPress – Parity Pricing with Discount Rules plugin for WordPress. This vulnerability affects all versions up to and including 1.0.0. The root cause is insufficient sanitization and escaping of user-supplied input in the 'Discount Text' field, which is used during web page generation. Authenticated attackers with administrator-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into the 'Discount Text' field. Because the vulnerability is stored, the malicious script persists in the database and executes whenever any user accesses the affected page, potentially compromising user sessions or performing unauthorized actions. The vulnerability specifically affects multi-site WordPress installations or those where the unfiltered_html capability is disabled, limiting the scope but still posing a significant risk in these environments. The CVSS v3.1 base score is 5.5, indicating a medium severity level. The attack vector is network-based with low attack complexity, requiring high privileges but no user interaction. The vulnerability impacts confidentiality and integrity but not availability. No patches or known exploits have been reported at the time of publication, but the risk remains for targeted attacks in vulnerable environments.

The primary impact of CVE-2024-6661 is the potential for attackers with administrator privileges to inject malicious scripts that execute in the context of other users visiting the affected pages. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of other users, and potential privilege escalation if combined with other vulnerabilities. Since the vulnerability affects multi-site WordPress installations or those with unfiltered_html disabled, organizations running complex WordPress environments with multiple sites are at higher risk. The impact on confidentiality and integrity is moderate, as attackers can manipulate or steal data accessible to users viewing the injected content. Availability is not affected. Although exploitation requires high privileges, the risk is significant because administrators typically have broad control over the site. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially in targeted attacks against organizations using this plugin. The vulnerability could be leveraged in phishing campaigns or internal attacks where an attacker has gained administrative access.

1. Immediate mitigation involves restricting administrator-level access to trusted personnel only and auditing existing admin accounts for suspicious activity. 2. Disable or limit the use of the 'Discount Text' field until a patch or update is available. 3. Implement strict input validation and output escaping on the 'Discount Text' field to prevent script injection. 4. For multi-site WordPress installations, review and adjust permissions and capabilities related to unfiltered_html to minimize risk. 5. Monitor web server and application logs for unusual script injection attempts or unexpected behavior on affected pages. 6. Employ Content Security Policy (CSP) headers to restrict execution of unauthorized scripts in browsers. 7. Regularly update WordPress core, plugins, and themes to the latest versions once a patch for this vulnerability is released. 8. Consider deploying Web Application Firewalls (WAF) with custom rules to detect and block XSS payloads targeting this plugin. 9. Educate administrators about the risks of XSS and safe input handling practices. 10. Backup affected sites regularly to enable quick restoration if exploitation occurs.