CVE-2024-6828 is a vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) affecting the Redux Framework WordPress plugin, specifically versions 4.4.12 through 4.4.17. The flaw arises from missing authorization and capability checks in the Redux_Color_Scheme_Import function, which handles JSON file uploads. Because these checks are absent, unauthenticated attackers can upload arbitrary JSON files to the server. The uploaded JSON files can be crafted to execute stored cross-site scripting (XSS) attacks, compromising the confidentiality and integrity of the website and its users. In rare scenarios, if the WordPress filesystem API (wp_filesystem) fails to initialize properly, the vulnerability can escalate to remote code execution (RCE), allowing attackers to execute arbitrary code on the server. The vulnerability is remotely exploitable over the network without any authentication or user interaction, increasing its risk profile. Although no known exploits have been reported in the wild yet, the potential for serious impact exists. The CVSS v3.1 base score is 7.2, indicating a high severity level due to network attack vector, no privileges required, no user interaction, and a scope change. The vulnerability affects a widely used WordPress plugin, increasing the potential attack surface. No official patches or updates are linked in the provided data, so mitigation relies on vendor updates or workarounds.

The vulnerability can lead to significant impacts for organizations running WordPress sites with the affected Redux Framework versions. Stored XSS attacks can compromise user sessions, steal sensitive data, and facilitate phishing or malware distribution. In the worst-case scenario of RCE, attackers could gain full control over the web server, leading to data breaches, website defacement, or use of the server as a pivot point for further network attacks. The lack of authentication and user interaction requirements means attackers can exploit this vulnerability remotely and anonymously, increasing the likelihood of automated attacks. Organizations relying on WordPress for e-commerce, content management, or customer engagement face reputational damage, financial loss, and regulatory compliance risks if exploited. The vulnerability also threatens the integrity of website content and user trust. Given the widespread use of WordPress and Redux Framework, the potential scope of impact is broad.

Organizations should immediately verify if their WordPress installations use the Redux Framework plugin versions 4.4.12 to 4.4.17 and upgrade to a patched version once available. In the absence of an official patch, administrators should disable or restrict access to the Redux_Color_Scheme_Import function, possibly by limiting file upload capabilities or applying web application firewall (WAF) rules to block unauthorized JSON uploads targeting this endpoint. Implementing strict input validation and sanitization on uploaded files can reduce the risk of stored XSS. Monitoring web server logs for suspicious JSON upload attempts and unusual activity related to the plugin is recommended. Additionally, ensuring the WordPress filesystem API initializes correctly can reduce the risk of RCE exploitation. Regular backups and incident response plans should be in place to recover quickly if exploitation occurs. Finally, consider isolating WordPress instances and applying the principle of least privilege to limit the impact of potential compromise.