CVE-2024-8267 is a stored cross-site scripting vulnerability identified in the Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player plugin for WordPress, maintained by princeahmed. The flaw exists due to insufficient sanitization and output escaping of the 'align' attribute within the 'wp:radio-player' Gutenberg block. Authenticated attackers with Contributor-level or higher privileges can exploit this vulnerability by injecting arbitrary JavaScript code into pages or posts. When other users access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or other malicious activities. The vulnerability affects all versions up to and including 2.0.78. The CVSS 3.1 base score is 6.4, reflecting a network attack vector with low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No patches or official fixes are currently linked, and no exploits have been reported in the wild. This vulnerability is categorized under CWE-79, indicating improper neutralization of input during web page generation. The issue is particularly critical for multi-user WordPress environments where contributors can add content, as it allows them to inject persistent malicious code affecting all visitors to the compromised pages.

The impact of CVE-2024-8267 is significant for organizations running WordPress sites with the vulnerable Radio Player plugin, especially those with multiple contributors or public-facing content. Exploitation can lead to persistent cross-site scripting attacks, enabling attackers to steal user credentials, hijack sessions, deface websites, or deliver malware to site visitors. This can result in reputational damage, loss of user trust, and potential regulatory consequences if sensitive data is compromised. Since the vulnerability requires authenticated access at the Contributor level, insider threats or compromised contributor accounts pose a direct risk. The scope change in the CVSS vector indicates that the attack can affect resources beyond the initially vulnerable component, potentially impacting the entire site or user base. Although no known exploits are currently in the wild, the medium severity and ease of exploitation make it a credible threat that could be leveraged in targeted attacks or automated scanning campaigns.

To mitigate CVE-2024-8267, organizations should first verify if they are using the Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player plugin version 2.0.78 or earlier. If so, they should monitor for official patches or updates from the vendor and apply them promptly once available. In the absence of a patch, administrators can restrict Contributor-level user permissions to prevent the addition of Gutenberg blocks that include the vulnerable 'align' attribute or disable the plugin temporarily if feasible. Implementing a Web Application Firewall (WAF) with custom rules to detect and block suspicious script injections targeting the 'align' attribute in the Gutenberg block can provide interim protection. Additionally, conducting regular security audits of user-generated content and employing Content Security Policy (CSP) headers can help mitigate the impact of injected scripts. Educating contributors about safe content practices and monitoring for unusual activity can further reduce risk. Finally, maintaining strict access controls and multi-factor authentication for all WordPress users will limit the potential for unauthorized exploitation.