CVE-2024-7758 is a medium-severity Stored Cross-Site Scripting (XSS) vulnerability identified in the Stylish Price List WordPress plugin versions prior to 7.1.8. The vulnerability arises because the plugin fails to properly sanitize and escape certain settings inputs. This flaw allows users with contributor-level privileges or higher to inject malicious scripts that are stored persistently within the plugin's data. Notably, this exploitation is possible even when the WordPress unfiltered_html capability is disabled, such as in multisite environments, which typically restricts users from posting unfiltered HTML content. The vulnerability leverages CWE-79, indicating improper neutralization of input during web page generation. The CVSS 3.1 score of 4.8 reflects a medium severity, with an attack vector of network (remote), low attack complexity, requiring high privileges, and user interaction. The scope is changed, meaning the vulnerability can affect resources beyond the initially vulnerable component. The impact includes limited confidentiality and integrity loss but no availability impact. No known exploits are currently reported in the wild, and no official patches or fixes have been linked yet. This vulnerability is significant because contributor-level users, who normally have limited capabilities, can escalate their impact by injecting malicious scripts that execute in the context of other users, potentially administrators or site visitors, leading to session hijacking, privilege escalation, or defacement.

For European organizations using WordPress sites with the Stylish Price List plugin, this vulnerability poses a risk of persistent XSS attacks that can compromise site integrity and user trust. Attackers with contributor or higher privileges can inject malicious scripts that execute in the browsers of administrators or other users, potentially leading to credential theft, unauthorized actions, or further compromise of the website. This is particularly concerning for organizations that operate multisite WordPress installations, common in educational institutions, government agencies, and enterprises, where unfiltered_html is disabled to restrict content injection. Exploitation could lead to data leakage, defacement, or unauthorized administrative actions, impacting confidentiality and integrity of sensitive information. Although the vulnerability does not directly affect availability, the reputational damage and potential regulatory consequences under GDPR for data breaches could be significant. The medium severity score suggests moderate risk, but the requirement for high privileges limits the attack surface to insiders or compromised accounts.

European organizations should immediately verify if their WordPress installations use the Stylish Price List plugin and identify the version in use. Since no official patch links are provided, organizations should consider the following mitigations: 1) Restrict contributor and higher user roles to trusted personnel only, minimizing the risk of malicious insider activity. 2) Implement strict monitoring and auditing of user-generated content and plugin settings for suspicious scripts or anomalies. 3) Temporarily disable or remove the Stylish Price List plugin if feasible until an official patch is released. 4) Employ Web Application Firewalls (WAFs) with custom rules to detect and block typical XSS payloads targeting plugin-specific parameters. 5) Educate administrators and users about the risks of XSS and encourage prompt reporting of unusual site behavior. 6) Regularly update WordPress core and plugins to the latest versions once the vendor releases a fix. 7) Consider deploying Content Security Policy (CSP) headers to restrict script execution sources, mitigating the impact of injected scripts. These steps go beyond generic advice by focusing on role-based access control, active monitoring, and layered defenses specific to this plugin vulnerability.