CVE-2024-6894 is a stored cross-site scripting vulnerability identified in the RD Station plugin for WordPress, maintained by filipe-mateus-do-nascimento. The flaw exists in all versions up to and including 5.3.2 due to insufficient sanitization and escaping of input data in post metaboxes added by the plugin. Specifically, authenticated users with Contributor-level permissions or higher can inject arbitrary JavaScript code into these metaboxes. When any user, including administrators or visitors, accesses a page containing the injected script, the malicious code executes in their browser context. This can lead to theft of authentication cookies, session tokens, or other sensitive information, as well as unauthorized actions performed on behalf of the victim. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), a common XSS category. The CVSS v3.1 base score is 6.4, reflecting network attack vector, low attack complexity, requiring privileges, no user interaction, and partial impact on confidentiality and integrity. No public exploits have been reported yet, but the vulnerability poses a significant risk to WordPress sites using RD Station, especially those with multiple contributors. The scope is broad as it affects all plugin versions up to 5.3.2 and can impact any site where the plugin is installed. The vulnerability underscores the importance of rigorous input validation and output encoding in web applications, particularly plugins that extend CMS functionality.

The impact of CVE-2024-6894 is primarily on the confidentiality and integrity of affected WordPress sites. Successful exploitation allows attackers with contributor-level access to execute arbitrary scripts in the context of other users, including administrators. This can lead to session hijacking, unauthorized data access, defacement, or further compromise of the website and its users. Since the vulnerability is stored XSS, the malicious payload persists and affects all users who visit the infected page, increasing the attack surface. Organizations relying on RD Station for marketing automation and lead management may suffer reputational damage, data leakage, and potential compliance violations if customer data is exposed. The vulnerability does not directly affect availability but can indirectly disrupt operations through administrative account compromise or content manipulation. Given WordPress's widespread use globally, the threat can affect a large number of websites, particularly those with multiple content contributors and marketing teams. The requirement for authenticated access limits exploitation to insiders or compromised accounts, but this is common in collaborative environments, making the risk significant.

To mitigate CVE-2024-6894, organizations should first update the RD Station plugin to a version where the vulnerability is patched once available. Until a patch is released, administrators should restrict Contributor-level permissions to trusted users only and audit existing user roles to minimize risk. Implementing a Web Application Firewall (WAF) with rules to detect and block common XSS payloads can provide temporary protection. Site administrators should also enable Content Security Policy (CSP) headers to restrict script execution sources, reducing the impact of injected scripts. Regularly scanning the website for injected scripts or unusual content in post metaboxes can help detect exploitation attempts. Educating content contributors about safe input practices and monitoring logs for suspicious activities are additional layers of defense. Finally, applying the principle of least privilege and enforcing strong authentication mechanisms reduces the likelihood of account compromise that could lead to exploitation.