CVE-2024-8323 is a stored cross-site scripting vulnerability classified under CWE-79, found in the Pricing Tables WordPress Plugin – Easy Pricing Tables developed by fatcatapps. The vulnerability exists due to insufficient sanitization and escaping of the 'fontFamily' attribute input, which is used during web page generation. Authenticated users with Contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into the plugin’s fontFamily field. Because the injected script is stored persistently, it executes every time a user accesses the affected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of the user. The vulnerability affects all versions up to and including 3.2.6. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges (Contributor or higher), no user interaction, and a scope change. The vulnerability does not currently have publicly known exploits, but the ease of exploitation by authenticated users and the persistent nature of stored XSS make it a significant risk for WordPress sites using this plugin. The lack of patch links suggests that a fix may not yet be publicly available, increasing the urgency for mitigation.

The impact of CVE-2024-8323 is primarily on the confidentiality and integrity of affected WordPress sites and their users. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of the victim’s browser, which can lead to session hijacking, theft of sensitive information such as cookies or credentials, defacement of web pages, or redirection to malicious sites. Since the vulnerability requires authenticated access at Contributor level or above, the risk is elevated in environments with multiple content contributors or where user roles are not tightly controlled. The scope change indicated in the CVSS vector means the vulnerability can affect resources beyond the initially vulnerable component, potentially impacting the entire site or user base. Although availability is not directly impacted, the reputational damage and potential data breaches can have severe consequences for organizations. This threat is particularly concerning for organizations relying on WordPress for public-facing websites, e-commerce, or customer portals, where trust and data protection are critical.

Organizations should immediately review user roles and permissions to ensure that only trusted users have Contributor-level or higher access. Implement strict input validation and output encoding for all user-supplied data, especially in custom or third-party plugins like Easy Pricing Tables. Monitor and audit plugin usage and content changes for suspicious activity. Since no official patch is currently linked, consider temporarily disabling or removing the affected plugin until a vendor patch is released. Employ Web Application Firewalls (WAFs) with rules to detect and block common XSS payloads targeting the fontFamily attribute or related plugin parameters. Educate content contributors about the risks of injecting untrusted content and enforce security best practices in content management. Regularly update WordPress core, themes, and plugins to reduce exposure to known vulnerabilities. Finally, implement Content Security Policy (CSP) headers to limit the impact of potential XSS attacks by restricting script execution sources.