CVE-2024-8189 is a stored cross-site scripting vulnerability in the WP MultiTasking – WP Utilities plugin for WordPress, affecting all versions up to 0.1.17. The issue stems from improper neutralization of input in the 'wpmt_menu_name' parameter, which allows authenticated users with administrator privileges on multi-site WordPress installations (where unfiltered_html is disabled) to inject arbitrary scripts. These scripts execute in the context of users visiting the injected pages, potentially leading to limited confidentiality and integrity impacts. The vulnerability requires high privileges and has a high attack complexity, reflected in its CVSS vector.

An authenticated attacker with administrator-level access on a multi-site WordPress installation can inject malicious scripts via the vulnerable parameter. This can lead to execution of arbitrary web scripts in the context of other users viewing the affected pages, potentially compromising confidentiality and integrity of user sessions or data. The impact is limited by the requirement for administrator privileges and the specific configuration conditions (multi-site and unfiltered_html disabled). There are no known exploits in the wild at this time.

No official patch or fix is currently available for this vulnerability. Users should monitor the vendor's advisory channels for updates. In the meantime, restrict administrator access to trusted users only and consider disabling or removing the WP MultiTasking – WP Utilities plugin if multi-site functionality is not required. Since this vulnerability only affects multi-site installations with unfiltered_html disabled, verifying and adjusting these configurations may reduce exposure. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.