The WP Category Dropdown plugin for WordPress suffers from a stored cross-site scripting (XSS) vulnerability identified as CVE-2024-8103. This vulnerability is due to improper neutralization of input during web page generation, specifically involving the 'align' parameter. The plugin fails to adequately sanitize and escape this parameter before rendering it on pages, enabling attackers with Contributor-level or higher privileges to inject arbitrary JavaScript code. Because the malicious payload is stored persistently, it executes every time a user accesses the affected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions within the context of the victim's browser. The vulnerability affects all versions up to and including 1.8. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with no availability impact. No patches or known exploits are currently documented, but the vulnerability poses a significant risk in environments where the plugin is installed and users have Contributor or higher roles. The flaw is categorized under CWE-79, highlighting improper input neutralization during web page generation.

This vulnerability allows authenticated users with Contributor-level access or above to inject malicious scripts that execute in the browsers of any users viewing the compromised pages. The impact includes potential session hijacking, theft of sensitive information such as cookies or credentials, unauthorized actions performed on behalf of users, and possible defacement or redirection to malicious sites. Since WordPress powers a large number of websites globally, any site using the vulnerable plugin is at risk of compromise, especially those with multiple contributors or editors. The scope of impact extends to site visitors and administrators alike, potentially damaging reputation, user trust, and leading to data breaches. Although exploitation requires authenticated access, many WordPress sites allow Contributor roles for content creation, increasing the attack surface. The vulnerability does not affect availability but compromises confidentiality and integrity, which can have serious consequences for organizations relying on WordPress for content management.

Organizations should immediately review their WordPress installations for the presence of the WP Category Dropdown plugin and verify the version in use. Since no official patch is currently available, administrators should consider temporarily disabling or uninstalling the plugin until a fix is released. Restrict Contributor-level access to trusted users only and audit existing users for unnecessary privileges. Implement Web Application Firewall (WAF) rules to detect and block suspicious payloads targeting the 'align' parameter. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Regularly monitor logs and user activity for signs of exploitation attempts. Educate content contributors about the risks of injecting untrusted input. Once a patch is released, apply it promptly. Additionally, consider using security plugins that sanitize inputs and outputs to provide an additional layer of defense.