CVE-2024-7304 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, found in the Ninja Tables – Easiest Data Table Builder WordPress plugin developed by techjewel. This vulnerability affects all versions up to and including 5.0.12. The root cause is insufficient input sanitization and output escaping during the handling of SVG file uploads. Authenticated users with Author-level access or higher can upload malicious SVG files containing embedded JavaScript. When any user subsequently accesses a page containing the malicious SVG, the embedded script executes in the context of the victim's browser. This can lead to theft of session cookies, user impersonation, or unauthorized actions performed on behalf of the victim. The vulnerability is remotely exploitable over the network without user interaction beyond viewing the infected SVG. The CVSS v3.1 base score is 6.4, reflecting medium severity, with attack vector network, low attack complexity, privileges required at the Author level, no user interaction, and a scope change. The impact affects confidentiality and integrity but not availability. No public exploits are currently known, but the presence of stored XSS in a popular WordPress plugin makes it a significant risk if weaponized. The vulnerability was reserved on July 30, 2024, and published on August 27, 2024. No official patches or mitigation links were provided at the time of reporting, emphasizing the need for immediate attention from site administrators.

The vulnerability allows attackers with Author-level privileges to inject persistent malicious scripts via SVG uploads, which execute in the browsers of any users viewing the infected content. This can lead to session hijacking, unauthorized actions, and data theft, compromising user confidentiality and integrity of the affected websites. Although availability is not impacted, the breach of trust and potential for further exploitation (such as privilege escalation or lateral movement within the site) can cause significant operational and reputational damage. Organizations relying on the Ninja Tables plugin for data presentation on WordPress sites face risks of targeted attacks, especially if they have multiple users with elevated privileges. The medium CVSS score reflects the moderate ease of exploitation combined with the requirement for authenticated access, but the scope change indicates that the vulnerability affects more than just the attacker’s privileges, impacting other users as well. This can be particularly damaging for sites with sensitive user data or high traffic volumes.

1. Immediately update the Ninja Tables plugin to a patched version once available from the vendor. 2. Until a patch is released, restrict upload permissions to trusted users only, ideally limiting SVG uploads or disabling them entirely. 3. Implement additional server-side input validation and sanitization for SVG files, using libraries that can safely parse and clean SVG content to remove embedded scripts. 4. Employ Content Security Policy (CSP) headers to restrict script execution and reduce the impact of injected scripts. 5. Regularly audit user roles and permissions to minimize the number of users with Author-level or higher access. 6. Monitor web server logs and WordPress activity logs for suspicious SVG uploads or unusual user behavior. 7. Educate site administrators and users about the risks of uploading untrusted SVG files. 8. Consider using Web Application Firewalls (WAFs) with rules to detect and block malicious SVG payloads. 9. Backup website data regularly to enable quick recovery if exploitation occurs. 10. Review and harden WordPress security configurations to reduce attack surface.