CVE-2024-7618 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, found in the Community by PeepSo plugin for WordPress, which provides social networking, membership, registration, and user profile features. The vulnerability exists due to insufficient neutralization of input during web page generation, specifically in the 'content' parameter. This flaw allows authenticated users with administrator-level privileges to inject arbitrary JavaScript code into pages. The malicious scripts are stored persistently and executed whenever any user accesses the infected page, potentially leading to session hijacking, privilege escalation, or other malicious actions. The vulnerability affects all versions up to and including 6.4.5.0 and is limited to multi-site WordPress installations where the unfiltered_html capability is disabled, which restricts HTML content filtering. The attack vector is network-based, requiring high attack complexity and administrator privileges, with no user interaction needed for exploitation. The CVSS 3.1 score of 4.4 reflects a medium severity level, with low confidentiality and integrity impacts and no availability impact. No public exploits have been reported to date. The vulnerability highlights the risks of improper input validation and output encoding in web applications, especially in complex multi-site environments where plugin configurations vary. It underscores the importance of strict input sanitization and secure coding practices in WordPress plugin development.

The primary impact of CVE-2024-7618 is the potential for stored XSS attacks within multi-site WordPress installations using the PeepSo plugin. Exploiting this vulnerability allows an attacker with administrator privileges to inject malicious scripts that execute in the browsers of users visiting the compromised pages. This can lead to session hijacking, theft of sensitive user data, unauthorized actions performed on behalf of users, and potential privilege escalation if combined with other vulnerabilities. Although the vulnerability requires administrator access, which limits the initial attack surface, the persistence and automatic execution of injected scripts increase risk to all users of the affected sites. Organizations relying on PeepSo for community and membership management may face reputational damage, data breaches, and compliance issues if exploited. The impact is confined to multi-site setups with unfiltered_html disabled, but these configurations are common in larger WordPress deployments, increasing the scope of affected organizations. No availability impact is expected, but confidentiality and integrity of user data and sessions are at risk. The absence of known exploits reduces immediate threat but does not eliminate future risks.

To mitigate CVE-2024-7618, organizations should first update the Community by PeepSo plugin to a version where the vulnerability is patched once available. Until a patch is released, administrators should restrict access to the plugin’s content editing features to trusted users only, minimizing the risk of malicious script injection. Review and adjust WordPress multi-site configurations to carefully manage the unfiltered_html capability, ensuring it is enabled only where absolutely necessary. Implement Web Application Firewalls (WAFs) with rules to detect and block suspicious script injection attempts targeting the 'content' parameter. Conduct regular security audits and code reviews of plugins and customizations to identify and remediate input validation weaknesses. Educate administrators about the risks of stored XSS and enforce the principle of least privilege to limit administrator accounts. Monitor logs and user activity for unusual behavior indicative of exploitation attempts. Employ Content Security Policy (CSP) headers to restrict execution of unauthorized scripts in browsers. Finally, maintain a robust backup and incident response plan to quickly recover from any compromise.