CVE-2024-8364 is a stored Cross-Site Scripting (XSS) vulnerability identified in the WP Custom Fields Search plugin for WordPress, developed by dondon-benjamincouk. This vulnerability exists in all versions up to and including 1.2.35. The root cause is improper neutralization of input during web page generation, specifically insufficient sanitization and output escaping of user-supplied attributes in the plugin's wpcfs-preset shortcode. Authenticated attackers with contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into pages via the shortcode parameters. Because the injected scripts are stored and rendered whenever the affected page is accessed, any user visiting the page will execute the malicious payload. This can lead to a range of attacks including session hijacking, privilege escalation, defacement, or distribution of malware. The vulnerability has a CVSS v3.1 score of 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges (contributor or above), no user interaction, and a scope change due to affecting other users. No known public exploits have been reported yet. The vulnerability highlights the risk of insufficient input validation in WordPress plugins, especially those that allow user-generated content or shortcode parameters. Since WordPress powers a significant portion of the web, and this plugin is used to enhance search capabilities via custom fields, the impact can be widespread if exploited. The vulnerability is classified under CWE-79, which covers improper neutralization of input leading to XSS. The vendor has not yet published a patch or mitigation guidance, so users must take interim protective measures.

The impact of CVE-2024-8364 is primarily on the confidentiality and integrity of affected WordPress sites. Successful exploitation allows an attacker with contributor-level access to inject persistent malicious scripts that execute in the context of any user viewing the compromised page. This can lead to theft of authentication cookies, enabling session hijacking and unauthorized access. Attackers could also perform actions on behalf of other users, deface websites, or deliver malware payloads. Although availability is not directly impacted, the reputational damage and potential data breaches can be significant. Organizations relying on the WP Custom Fields Search plugin, especially those with multiple contributors or user-generated content, face increased risk. The vulnerability could be leveraged in targeted attacks against high-value WordPress sites, including e-commerce, media, or corporate portals. Given the medium CVSS score and the requirement for contributor-level privileges, the threat is moderate but should not be underestimated, particularly in environments with many contributors or less stringent access controls.

1. Immediately restrict contributor-level and higher privileges to trusted users only, minimizing the risk of malicious script injection. 2. Monitor and audit all user-generated content and shortcode usage for suspicious or unexpected scripts or HTML. 3. Until an official patch is released, consider disabling or removing the WP Custom Fields Search plugin if it is not critical to operations. 4. Implement Web Application Firewall (WAF) rules to detect and block attempts to inject or execute malicious scripts via the wpcfs-preset shortcode parameters. 5. Educate content contributors about safe content practices and the risks of injecting untrusted code. 6. Regularly back up WordPress sites to enable quick restoration in case of compromise. 7. Follow the vendor’s updates closely and apply patches immediately once available. 8. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected sites. 9. Use security plugins that can detect and alert on XSS attempts or unusual shortcode behavior. 10. Review and harden WordPress user roles and permissions to enforce the principle of least privilege.