CVE-2024-8666 is a stored cross-site scripting (XSS) vulnerability identified in the Shoutcast Icecast HTML5 Radio Player plugin for WordPress, affecting all versions up to and including 2.1.6. The root cause is insufficient sanitization and output escaping of user-supplied attributes within the plugin's 'html5radio' shortcode, allowing malicious scripts to be stored persistently in the website content. An attacker with authenticated contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into pages or posts that utilize the shortcode. When other users, including administrators or site visitors, access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions performed on behalf of the victim. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with the attack vector being network-based and requiring low attack complexity but limited privileges. The scope is changed because the vulnerability affects multiple users and their sessions. No user interaction is needed beyond the victim visiting the compromised page. Although no known exploits have been reported in the wild, the vulnerability poses a significant risk to WordPress sites using this plugin, especially those allowing contributor-level users to add or edit content. The lack of a patch at the time of publication necessitates immediate mitigation efforts to prevent exploitation.

The primary impact of CVE-2024-8666 is the compromise of confidentiality and integrity within affected WordPress sites. Successful exploitation allows attackers to execute arbitrary scripts in the context of other users' browsers, potentially stealing session cookies, redirecting users to malicious sites, or performing unauthorized actions with the victim's privileges. This can lead to account takeover, data leakage, defacement, or further compromise of the website. Since contributor-level users can exploit this, insider threats or compromised contributor accounts increase risk. The vulnerability does not directly affect availability but can indirectly cause service disruption through defacement or administrative lockout. Organizations relying on the Shoutcast Icecast HTML5 Radio Player plugin for content delivery or user engagement may face reputational damage and loss of user trust if exploited. The medium CVSS score reflects that while exploitation is not trivial, the consequences can be significant, especially for high-traffic or sensitive sites.

To mitigate CVE-2024-8666, organizations should first check for and apply any official patches or updates released by svnlabs once available. Until a patch is released, administrators should restrict contributor-level user permissions to prevent unauthorized shortcode usage or content editing. Implementing a Web Application Firewall (WAF) with rules to detect and block suspicious script injections in shortcode parameters can reduce risk. Site owners should audit existing content for injected scripts and remove any malicious code. Employing Content Security Policy (CSP) headers can help limit the impact of injected scripts by restricting script sources and execution contexts. Additionally, educating contributors about safe content practices and monitoring user activity for anomalous behavior can prevent exploitation. Regular backups and incident response plans should be in place to recover from potential compromises. Finally, consider disabling or replacing the vulnerable plugin if it is not essential.