CVE-2024-8665 is a reflected cross-site scripting vulnerability identified in the YITH Custom Login plugin for WordPress, a widely used plugin that customizes login pages. The vulnerability stems from the plugin's use of the WordPress function add_query_arg without proper escaping of URL parameters, which leads to improper neutralization of user-supplied input during web page generation. This flaw allows unauthenticated attackers to craft malicious URLs containing arbitrary JavaScript code. When a victim clicks such a link, the injected script executes in their browser context, potentially leading to session hijacking, credential theft, or redirection to malicious sites. The vulnerability affects all versions up to and including 1.7.3. The CVSS 3.1 base score is 6.1, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, but requiring user interaction. The scope is changed because the vulnerability affects the confidentiality and integrity of user data but not availability. No patches or official fixes have been linked yet, and no known exploits are reported in the wild. This vulnerability is categorized under CWE-79, which covers improper neutralization of input leading to XSS attacks. Given the widespread use of WordPress and the popularity of YITH plugins, this vulnerability poses a significant risk to websites using this plugin, especially those handling sensitive user data or authentication.

The primary impact of CVE-2024-8665 is on the confidentiality and integrity of user sessions and data. Successful exploitation can allow attackers to execute arbitrary scripts in the context of the victim's browser, potentially leading to theft of authentication cookies, session tokens, or other sensitive information. This can facilitate account takeover, unauthorized actions on behalf of the user, or redirection to malicious websites for further exploitation. Although availability is not directly affected, the reputational damage and loss of user trust can be significant for affected organizations. E-commerce sites, membership portals, and any WordPress sites relying on YITH Custom Login for authentication customization are particularly vulnerable. The attack requires no authentication but does require user interaction (clicking a malicious link), which can be facilitated via phishing campaigns. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as proof-of-concept exploits may emerge. Organizations worldwide that use this plugin are at risk of targeted attacks aiming to compromise user accounts or deliver malware via injected scripts.

1. Immediately update the YITH Custom Login plugin to a patched version once it becomes available from the vendor. Monitor official channels for patch releases. 2. Until a patch is released, implement web application firewall (WAF) rules to detect and block suspicious query parameters or script injection attempts targeting the plugin's endpoints. 3. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected pages, mitigating the impact of injected scripts. 4. Educate users and administrators about the risks of clicking unsolicited or suspicious links, especially those purporting to be related to login or account management. 5. Conduct regular security audits and vulnerability scans focusing on WordPress plugins and their versions to identify vulnerable instances. 6. Consider temporarily disabling or replacing the YITH Custom Login plugin with alternative solutions that do not exhibit this vulnerability if patching is delayed. 7. Monitor logs for unusual URL parameters or repeated attempts to exploit query arguments that could indicate reconnaissance or exploitation attempts. 8. Harden WordPress installations by limiting plugin usage to trusted and actively maintained plugins and keeping all components updated.