CVE-2024-7759 is a medium-severity Stored Cross-Site Scripting (XSS) vulnerability identified in the WordPress plugin "PWA for WP" versions prior to 1.7.72. The vulnerability arises because the plugin fails to properly sanitize and escape certain settings inputs. This flaw allows users with high privileges, such as administrators, to inject malicious scripts that are stored persistently within the plugin's settings. Notably, this vulnerability can be exploited even when the WordPress capability 'unfiltered_html' is disabled, such as in multisite environments, which typically restricts HTML input to prevent such attacks. The attack vector requires high privilege (admin) and user interaction (an admin must input the malicious payload), but once exploited, the stored script can execute in the context of other users viewing affected pages or admin interfaces, potentially leading to session hijacking, privilege escalation, or further compromise of the WordPress site. The CVSS 3.1 base score is 4.8 (medium), reflecting the network attack vector, low attack complexity, required high privileges, and user interaction. The vulnerability impacts confidentiality and integrity but does not affect availability. No known exploits are currently reported in the wild, and no official patches or updates are linked yet, though the fixed version is 1.7.72 or later. The vulnerability is classified under CWE-79, which covers Cross-Site Scripting issues due to improper input validation and output encoding.

For European organizations using WordPress with the PWA for WP plugin, this vulnerability poses a moderate risk. Organizations with multisite WordPress deployments or those that restrict unfiltered HTML capabilities might have a false sense of security, as this vulnerability bypasses such restrictions for high-privilege users. An attacker with admin access could inject malicious scripts that execute in other administrators' or users' browsers, potentially leading to session hijacking, theft of sensitive information, or further compromise of the website and backend systems. This could result in data breaches, defacement, or unauthorized access to internal resources. Given the widespread use of WordPress across European businesses, including e-commerce, government, and media sectors, exploitation could impact confidentiality and integrity of data, damage reputation, and lead to regulatory non-compliance under GDPR if personal data is exposed or manipulated.

European organizations should immediately verify their use of the PWA for WP plugin and update to version 1.7.72 or later once available. Until patched, restrict administrative access strictly to trusted personnel and review all plugin settings for suspicious or unexpected content. Implement Content Security Policy (CSP) headers to reduce the impact of XSS attacks by restricting script execution sources. Employ Web Application Firewalls (WAFs) with custom rules to detect and block malicious payloads targeting plugin settings. Conduct regular audits of user privileges to ensure only necessary users have admin rights. Additionally, monitor logs for unusual admin activity and consider isolating multisite environments to limit cross-site contamination. Educate administrators about the risks of injecting untrusted content even with high privileges. Finally, maintain regular backups to enable recovery in case of compromise.