CVE-2024-7775 is a cross-site scripting (XSS) vulnerability classified under CWE-79 found in the WordPress plugin 'Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder' developed by bitpressadmin. The vulnerability exists in versions 2.0 through 2.13.9 due to insufficient input validation in the addCustomCode function. This flaw allows authenticated users with administrator-level privileges to upload arbitrary JavaScript files to the server hosting the WordPress site. Because the plugin handles custom code additions for contact forms, the lack of sanitization or neutralization of input enables attackers to inject malicious scripts that can execute in the context of the site. The vulnerability does not require user interaction but does require high privileges, limiting exploitation to insiders or compromised admin accounts. The CVSS v3.1 base score is 5.5, with vector AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N, indicating network attack vector, low attack complexity, high privileges required, no user interaction, scope changed, and low confidentiality and integrity impact without availability impact. No public exploits are currently known. The vulnerability could be leveraged to conduct persistent XSS attacks, steal sensitive information, or perform actions on behalf of administrators, potentially leading to further compromise of the site or its users.

The primary impact of CVE-2024-7775 is the potential for attackers with administrator access to upload and execute arbitrary JavaScript code on affected WordPress sites. This can lead to unauthorized actions such as session hijacking, credential theft, defacement, or pivoting to other parts of the network. Although exploitation requires administrator privileges, the vulnerability increases the risk posed by insider threats or compromised admin accounts. The confidentiality and integrity of site data and user information can be partially compromised. Availability is not directly impacted. Organizations relying on this plugin for contact forms may face reputational damage, data breaches, or regulatory consequences if exploited. Since WordPress powers a significant portion of the web, sites using this plugin globally are at risk, especially those with weak administrative account protections or insufficient monitoring. The absence of known exploits reduces immediate risk but does not eliminate the threat, as attackers may develop exploits in the future.

1. Immediately update the 'Contact Form by Bit Form' plugin to the latest version once a patch is released by the vendor to fix the input validation issue in the addCustomCode function. 2. Until a patch is available, restrict administrator access to trusted personnel only and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of compromised admin accounts. 3. Implement web application firewall (WAF) rules to detect and block suspicious JavaScript uploads or unusual admin panel activities related to custom code additions. 4. Regularly audit and monitor administrator activities and uploaded files for signs of malicious code or unauthorized changes. 5. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on the site. 6. Conduct regular security assessments and vulnerability scans on WordPress installations and plugins to identify and remediate similar issues proactively. 7. Educate site administrators on the risks of uploading custom code and the importance of validating inputs.