CVE-2024-8045 is a stored cross-site scripting vulnerability identified in the Advanced WordPress Backgrounds plugin, a popular WordPress extension used to enhance background image functionality. The vulnerability arises from improper neutralization of input during web page generation, specifically through the 'imageTag' parameter. This parameter lacks sufficient input sanitization and output escaping, allowing authenticated users with Contributor-level privileges or higher to inject arbitrary JavaScript code into pages. Because the malicious script is stored persistently, it executes in the context of any user who visits the affected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of users without their consent. The vulnerability does not require user interaction to trigger once the page is loaded, and the attacker only needs low-level privileges, making it a significant risk in environments where Contributor roles are assigned. The CVSS 3.1 score of 6.4 reflects a medium severity, with network attack vector, low attack complexity, privileges required, no user interaction, and a scope change indicating that the vulnerability affects components beyond the initially vulnerable plugin. No patches or known exploits have been reported at the time of publication, but the vulnerability is publicly disclosed and should be addressed promptly to prevent exploitation.

The impact of CVE-2024-8045 is primarily on the confidentiality and integrity of affected WordPress sites and their users. Successful exploitation allows attackers to execute arbitrary scripts in the context of the victim’s browser, which can lead to session hijacking, theft of sensitive information such as cookies or credentials, defacement of website content, and unauthorized actions performed on behalf of users. Since the vulnerability requires only Contributor-level access, attackers who gain low-level authenticated access can escalate their impact significantly. This can undermine trust in the website, lead to data breaches, and potentially facilitate further attacks such as privilege escalation or malware distribution. The vulnerability does not directly affect availability but can indirectly cause service disruption through defacement or administrative lockouts. Organizations relying on the Advanced WordPress Backgrounds plugin, especially those with multiple authenticated users or public-facing content, face increased risk of reputational damage and data compromise if the vulnerability is exploited.

To mitigate CVE-2024-8045, organizations should first check for updates or patches from the plugin vendor and apply them immediately once available. In the absence of an official patch, administrators should restrict Contributor-level access to trusted users only, minimizing the risk of malicious script injection. Implementing a Web Application Firewall (WAF) with rules to detect and block suspicious input patterns targeting the 'imageTag' parameter can provide temporary protection. Additionally, site owners should enforce Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. Regularly auditing user roles and permissions to ensure least privilege principles are followed will limit the attack surface. Monitoring website content for unexpected changes and scanning for injected scripts can help detect exploitation attempts early. Finally, educating users about the risks of XSS and encouraging strong authentication practices will enhance overall security posture.