CVE-2024-6752 is a stored Cross-Site Scripting vulnerability classified under CWE-79, affecting the WPWeb Social Auto Poster plugin for WordPress in all versions up to and including 5.3.14. The flaw exists in the handling of the ‘wp_name’ parameter within the 'wpw_auto_poster_map_wordpress_post_type' AJAX function, where insufficient input sanitization and lack of proper output escaping allow attackers to inject arbitrary JavaScript code. This vulnerability is exploitable by authenticated users with Subscriber-level privileges or higher, which is a relatively low privilege level in WordPress. Once exploited, the injected scripts execute in the context of any user who views the affected page, potentially leading to session hijacking, defacement, or further exploitation such as privilege escalation. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with an attack vector over the network, low attack complexity, requiring privileges but no user interaction, and a scope change indicating impact beyond the initially compromised component. Although no active exploits have been reported, the vulnerability poses a significant risk due to the widespread use of WordPress and this plugin. The lack of a patch at the time of reporting necessitates immediate mitigation steps to reduce exposure.

The primary impact of CVE-2024-6752 is the compromise of confidentiality and integrity through stored XSS attacks. Attackers can inject malicious scripts that execute in the browsers of users who access the infected pages, potentially stealing session cookies, redirecting users to malicious sites, or performing actions on behalf of users. This can lead to account takeover, data leakage, and reputational damage. Since the vulnerability requires only Subscriber-level access, attackers can exploit compromised or low-privilege accounts, increasing the attack surface. The scope change means that the vulnerability affects multiple users beyond the initial attacker, amplifying the potential damage. Organizations relying on the Social Auto Poster plugin risk exposure of sensitive user data and disruption of normal website operations. Although availability is not directly impacted, the indirect consequences of exploitation can cause operational disruptions and loss of user trust.

Organizations should immediately audit their WordPress installations for the presence of the WPWeb Social Auto Poster plugin and verify the version in use. Until an official patch is released, administrators should consider disabling or uninstalling the plugin to eliminate the attack vector. If disabling is not feasible, restrict Subscriber-level user capabilities to prevent unauthorized access to the vulnerable AJAX function. Implement Web Application Firewall (WAF) rules to detect and block suspicious payloads targeting the ‘wp_name’ parameter, focusing on common XSS attack patterns. Regularly monitor logs for unusual AJAX requests or unexpected user behavior. Educate users about the risks of XSS and encourage the use of strong authentication mechanisms such as multi-factor authentication to reduce account compromise risk. Once a patch becomes available, apply it promptly and verify the fix through security testing. Additionally, consider employing Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages.