CVE-2024-7302 is a stored cross-site scripting (XSS) vulnerability identified in the Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress, maintained by pr-gateway. The flaw exists in all versions up to and including 7.5.4 and is triggered via the upload of 3gp2 multimedia files. The vulnerability stems from improper neutralization of input during web page generation, specifically insufficient sanitization and output escaping of uploaded 3gp2 files. Authenticated users with author-level access or higher can exploit this by uploading a crafted 3gp2 file containing malicious JavaScript code. When any user subsequently accesses the page or resource referencing this file, the embedded script executes in their browser context. This can lead to theft of session cookies, unauthorized actions on behalf of users, or further compromise of the WordPress site. The vulnerability does not require user interaction beyond accessing the malicious file and does not require administrative privileges to exploit, though author-level access is necessary to upload the payload. The CVSS 3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, privileges required at the author level, no user interaction, and partial impact on confidentiality and integrity but no impact on availability. No public exploits have been reported yet, but the vulnerability poses a credible risk to WordPress sites using this plugin, especially those with multiple contributors. The lack of patch links suggests a fix may be pending or not yet publicly released. Organizations should monitor for updates and consider temporary mitigations such as restricting author uploads or sanitizing 3gp2 file handling.

The vulnerability allows authenticated users with author-level privileges to inject persistent malicious scripts into the WordPress site via 3gp2 file uploads. This can compromise the confidentiality and integrity of user sessions and data by enabling session hijacking, credential theft, or unauthorized actions performed in the context of other users, including administrators. The stored nature of the XSS means the malicious payload persists and affects any user accessing the infected resource, increasing the attack surface. Although availability is not directly impacted, the reputational damage and potential data breaches can be significant. Organizations relying on the Blog2Social plugin for social media automation may face targeted attacks, especially if they have multiple authors or contributors. The medium severity score indicates a moderate but actionable risk, particularly in environments where author accounts are not tightly controlled. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, as attackers could develop exploits rapidly once the vulnerability is public. The scope includes all WordPress sites using this plugin, which is popular among social media marketers and bloggers worldwide.

1. Immediately restrict author-level users from uploading 3gp2 files or disable file uploads for non-administrative users until a patch is available. 2. Monitor and audit all 3gp2 file uploads for suspicious content or unexpected file metadata. 3. Implement Web Application Firewall (WAF) rules to detect and block malicious scripts embedded in 3gp2 files or unusual requests targeting these files. 4. Enforce strict Content Security Policy (CSP) headers to limit script execution sources and reduce the impact of any injected scripts. 5. Regularly update the Blog2Social plugin as soon as the vendor releases a security patch addressing this vulnerability. 6. Educate authors and contributors about the risks of uploading untrusted files and enforce strong access controls and user permissions. 7. Consider disabling or limiting the use of the vulnerable plugin if it is not essential to business operations. 8. Conduct periodic security scans and penetration tests focusing on file upload functionalities and XSS vectors.