CVE-2024-8741 is a reflected Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the 'Beam me up Scotty – Back to Top Button' WordPress plugin developed by outtheboxthemes. The vulnerability exists in all versions up to and including 1.0.21 due to the improper use of the WordPress function add_query_arg without appropriate escaping or sanitization of URL parameters. This improper neutralization allows an attacker to craft malicious URLs that, when clicked by a victim, cause arbitrary JavaScript code to execute within the victim's browser under the context of the vulnerable website. The attack vector is remote and requires no authentication, but it does require user interaction (clicking a malicious link). The vulnerability impacts confidentiality and integrity by enabling theft of cookies, session tokens, or other sensitive data and potentially allowing actions on behalf of the user. The CVSS 3.1 base score is 6.1, indicating a medium severity level. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability affects websites using this plugin, which is a common WordPress enhancement for user interface navigation.

The primary impact of CVE-2024-8741 is the potential compromise of user confidentiality and integrity on affected WordPress sites. Attackers can exploit this vulnerability to execute arbitrary scripts in users' browsers, leading to session hijacking, theft of authentication tokens, or redirection to malicious sites. This can result in unauthorized actions performed on behalf of users, data leakage, or further malware distribution. While availability is not directly affected, the reputational damage and loss of user trust can be significant for organizations. Since the plugin is used to enhance user navigation, many websites, including blogs, e-commerce, and corporate sites, may be affected. The ease of exploitation (no authentication required) and the widespread use of WordPress increase the risk of targeted phishing campaigns leveraging this vulnerability. Organizations with high traffic or sensitive user data are particularly at risk.

To mitigate CVE-2024-8741, organizations should immediately update the 'Beam me up Scotty – Back to Top Button' plugin to a patched version once available. In the absence of an official patch, administrators should consider disabling or removing the plugin to eliminate the attack surface. As a temporary workaround, implement web application firewall (WAF) rules to detect and block suspicious query parameters or scripts in URLs related to the plugin's functionality. Additionally, enforce Content Security Policy (CSP) headers to restrict script execution sources and reduce the impact of XSS attacks. Educate users to avoid clicking on suspicious links and monitor web server logs for unusual URL patterns. Regularly audit all WordPress plugins for security updates and apply the principle of least privilege to WordPress user roles to limit potential damage from compromised accounts.