CVE-2024-8724 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the Waitlist Woocommerce (Back in stock notifier) plugin for WordPress, affecting all versions up to and including 2.7.5. The root cause is the use of the WordPress function add_query_arg without proper escaping or sanitization of user-supplied input in URL parameters. This improper neutralization allows attackers to craft malicious URLs containing arbitrary JavaScript code. When a victim clicks such a URL, the injected script executes in the context of the vulnerable website, potentially leading to theft of cookies, session tokens, or other sensitive information, as well as manipulation of the webpage content. The vulnerability is exploitable by unauthenticated attackers and requires user interaction (clicking a malicious link). The CVSS 3.1 base score is 6.1, reflecting a medium severity level due to the network attack vector, low attack complexity, no privileges required, but requiring user interaction and impacting confidentiality and integrity with no impact on availability. No public exploits have been reported yet, but the vulnerability poses a significant risk to websites using this plugin, especially e-commerce sites relying on WooCommerce for stock notifications. The reflected XSS can be leveraged for phishing, session hijacking, or delivering further malware payloads.

The primary impact of CVE-2024-8724 is on the confidentiality and integrity of affected websites and their users. Attackers can steal session cookies, enabling account takeover or impersonation. They can also manipulate webpage content to conduct phishing attacks or spread malware. For e-commerce sites, this can lead to loss of customer trust, financial fraud, and reputational damage. Since the vulnerability is reflected XSS, it requires user interaction, limiting automated mass exploitation but still posing a significant risk through targeted phishing campaigns. The vulnerability does not affect system availability directly but can indirectly cause service disruptions due to compromised accounts or injected malicious content. Organizations worldwide using the vulnerable plugin are at risk, especially those with high traffic or sensitive customer data.

To mitigate CVE-2024-8724, organizations should immediately update the Waitlist Woocommerce (Back in stock notifier) plugin to a patched version once available. In the absence of an official patch, apply manual mitigations such as sanitizing and escaping all user inputs before using them in URL parameters, specifically replacing or wrapping add_query_arg calls with proper escaping functions like esc_url or esc_html. Implement Web Application Firewall (WAF) rules to detect and block suspicious query strings containing script tags or JavaScript event handlers. Educate users and staff about the risks of clicking unsolicited links to reduce successful phishing attempts. Additionally, enable Content Security Policy (CSP) headers to restrict script execution sources, limiting the impact of injected scripts. Regularly audit and monitor web logs for unusual URL patterns indicative of exploitation attempts. Finally, consider disabling or replacing the vulnerable plugin if immediate patching is not feasible.