CVE-2024-7301 identifies a stored cross-site scripting (XSS) vulnerability in the WordPress File Upload plugin developed by nickboss, affecting all versions up to and including 4.24.8. The vulnerability stems from improper neutralization of input during web page generation (CWE-79), specifically related to SVG file uploads. SVG files can contain embedded scripts, and due to insufficient input sanitization and output escaping in the plugin, attackers can upload crafted SVG files containing malicious JavaScript code. When any user accesses a page displaying or referencing the malicious SVG, the embedded script executes in their browser context. This attack vector does not require any authentication or user interaction, making it highly accessible to remote attackers. The vulnerability impacts confidentiality and integrity by enabling session hijacking, credential theft, or unauthorized actions performed on behalf of users. The CVSS v3.1 score of 7.2 reflects a high severity with network attack vector, low attack complexity, no privileges required, no user interaction, and a scope change indicating the vulnerability affects components beyond the vulnerable plugin itself. No patches or exploits are currently publicly available, but the risk remains significant due to the plugin’s popularity and the common use of SVG files in web content. The vulnerability highlights the critical need for proper input validation and output encoding in web applications handling user-uploaded content, especially file types capable of embedding executable code.

The impact of CVE-2024-7301 is substantial for organizations using the WordPress File Upload plugin, as it allows unauthenticated attackers to execute arbitrary scripts in the context of users visiting affected pages. This can lead to session hijacking, theft of sensitive information such as cookies or credentials, defacement, or further exploitation of the victim’s environment. The vulnerability compromises confidentiality and integrity but does not directly affect availability. Given the plugin’s widespread use in WordPress sites globally, the scope of affected systems is broad, potentially impacting websites ranging from small businesses to large enterprises. Attackers could leverage this vulnerability to pivot into internal networks or conduct phishing campaigns using compromised sites. The lack of required authentication and user interaction lowers the barrier to exploitation, increasing the likelihood of attacks once exploit code becomes available. Organizations hosting public-facing WordPress sites with this plugin are at risk of reputational damage, data breaches, and regulatory consequences if exploited.

To mitigate CVE-2024-7301, organizations should immediately update the WordPress File Upload plugin to a patched version once released by the vendor. Until a patch is available, administrators should disable SVG file uploads entirely or restrict uploads to safe file types only. Implementing server-side validation to reject SVG files containing scripts or suspicious content is critical. Employ Content Security Policy (CSP) headers to restrict script execution and reduce the impact of potential XSS attacks. Regularly audit and monitor uploaded files for anomalies and unauthorized changes. Additionally, ensure that WordPress core and all plugins are kept up to date to minimize exposure to known vulnerabilities. Web application firewalls (WAFs) can be configured to detect and block malicious payloads in file uploads. Educate site administrators and users about the risks of uploading untrusted files and enforce the principle of least privilege for file upload permissions. Finally, conduct security testing and code reviews focusing on input sanitization and output encoding for all user-supplied content.