CVE-2024-8722 is a stored cross-site scripting vulnerability classified under CWE-79, found in the WP All Import Pro plugin developed by Soflyy for WordPress. This vulnerability affects all versions up to and including 4.9.7. The root cause is insufficient input sanitization and output escaping when handling SVG file uploads. Specifically, authenticated users with Administrator-level access or higher can upload SVG files containing malicious JavaScript code. Because the plugin does not properly neutralize this input, the malicious script is stored and later executed in the context of any user who views the SVG file, leading to stored XSS. This can result in session hijacking, privilege escalation, or other malicious actions performed in the context of the victim’s browser session. The vulnerability requires authenticated access with high privileges, no user interaction is needed for the script to execute once the SVG is accessed, and the scope is confined to websites using this plugin. The CVSS 3.1 base score is 5.5, indicating a medium severity due to network attack vector, low attack complexity, required privileges, and no user interaction. No public exploits or active exploitation have been reported as of now. The vulnerability highlights the risks of improper input validation in web applications, especially in plugins that handle file uploads and content generation dynamically.

The primary impact of CVE-2024-8722 is on the confidentiality and integrity of affected WordPress sites using the WP All Import Pro plugin. Successful exploitation allows an attacker with administrator privileges to inject persistent malicious scripts that execute in the browsers of site visitors or administrators viewing the SVG files. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, and potential defacement or redirection attacks. Although availability is not directly impacted, the trustworthiness and security posture of the website can be severely compromised. Organizations relying on this plugin for importing XML or CSV data are at risk of internal abuse or compromise if administrator accounts are compromised or malicious insiders exist. The medium severity score reflects that exploitation requires high privileges, limiting the attack surface to insiders or compromised admin accounts. However, the widespread use of WordPress and this plugin in content management and e-commerce platforms globally means the potential impact is significant if exploited. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat.

1. Immediate mitigation involves updating the WP All Import Pro plugin to a version where this vulnerability is patched once available. Monitor Soflyy’s official channels for security updates. 2. If patching is not immediately possible, restrict SVG file uploads to trusted users only and disable SVG uploads if feasible. 3. Implement web application firewall (WAF) rules to detect and block malicious payloads in SVG uploads or requests accessing SVG files. 4. Enforce the principle of least privilege by limiting administrator accounts and regularly auditing user permissions to reduce the risk of insider threats. 5. Conduct regular security reviews and input validation checks on all file upload functionalities. 6. Educate administrators about the risks of uploading untrusted SVG files and encourage use of safer file formats. 7. Monitor logs for unusual activity related to SVG file uploads or access patterns that could indicate exploitation attempts. 8. Employ Content Security Policy (CSP) headers to restrict script execution contexts and reduce the impact of XSS attacks. 9. Consider implementing additional output encoding or sanitization layers on the server side for SVG content rendering. These steps collectively reduce the likelihood and impact of exploitation beyond generic patching advice.