CVE-2024-6753 is a stored Cross-Site Scripting vulnerability identified in the Social Auto Poster plugin developed by WPWeb for WordPress. The vulnerability exists in all versions up to and including 5.3.14 due to insufficient sanitization and escaping of the 'mapTypes' parameter within the 'wpw_auto_poster_map_wordpress_post_type' AJAX handler. This parameter is vulnerable because user-supplied input is directly embedded into web pages without proper neutralization, allowing attackers to inject arbitrary JavaScript code. Since the AJAX function is accessible without authentication, any unauthenticated attacker can exploit this flaw remotely. When a victim visits a page containing the injected script, the malicious code executes in their browser context, potentially enabling theft of cookies, session tokens, or performing actions on behalf of the user. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), a common and dangerous web security issue. The CVSS v3.1 base score is 7.2, reflecting high severity with network attack vector, low attack complexity, no privileges required, no user interaction, and a scope change. The impact affects confidentiality and integrity but not availability. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. However, the risk remains significant due to the plugin’s popularity and the ease of exploitation.

The impact of CVE-2024-6753 is substantial for organizations using the WPWeb Social Auto Poster plugin on WordPress sites. Successful exploitation can lead to unauthorized script execution in users’ browsers, enabling attackers to steal sensitive information such as authentication cookies, personal data, or perform unauthorized actions on behalf of users. This compromises the confidentiality and integrity of user data and site content. The vulnerability could facilitate further attacks like phishing, session hijacking, or malware distribution. Since exploitation requires no authentication or user interaction, the attack surface is broad, increasing the likelihood of automated or mass exploitation attempts. Organizations with high-traffic WordPress sites or those handling sensitive user data face increased reputational and operational risks. Additionally, compromised sites could be used as a vector to attack visitors or other connected systems, amplifying the threat. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate it, as attackers may develop exploits rapidly once details are public.

To mitigate CVE-2024-6753, organizations should first verify if they are using the WPWeb Social Auto Poster plugin and identify the version in use. Immediate mitigation involves updating the plugin to a patched version once released by the vendor. In the absence of an official patch, administrators should consider disabling or uninstalling the plugin to eliminate the attack vector. As a temporary measure, implementing a Web Application Firewall (WAF) with custom rules to detect and block malicious payloads targeting the 'mapTypes' parameter in AJAX requests can reduce risk. Additionally, applying Content Security Policy (CSP) headers can help limit the impact of injected scripts by restricting script execution sources. Site owners should also audit their WordPress installations for signs of compromise and educate users about the risks of XSS attacks. Regular backups and monitoring for unusual activity are recommended to enable rapid recovery if exploitation occurs. Finally, developers maintaining the plugin should apply secure coding practices, including proper input validation and output encoding, to prevent similar vulnerabilities.