CVE-2024-8747 is a stored cross-site scripting vulnerability classified under CWE-79, found in the 'Email Obfuscate Shortcode' WordPress plugin developed by khromov. The vulnerability affects all versions up to and including 2.0. It stems from insufficient sanitization and escaping of user-supplied attributes within the plugin's 'email-obfuscate' shortcode, which is used to obfuscate email addresses on WordPress sites. An attacker with contributor-level or higher privileges can inject arbitrary JavaScript code into pages or posts by exploiting this flaw. Because the malicious script is stored in the content, it executes whenever any user accesses the affected page, potentially leading to session hijacking, credential theft, or unauthorized actions performed in the context of the victim's browser session. The vulnerability requires authentication but no user interaction beyond viewing the infected page. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and privileges required. No patches or exploit code are currently publicly available, but the risk remains significant for sites using this plugin without mitigation. The scope is limited to WordPress sites using this specific plugin, but given WordPress's widespread use, the potential reach is broad.

The primary impact of CVE-2024-8747 is the compromise of confidentiality and integrity on affected WordPress sites. Attackers with contributor-level access can inject persistent malicious scripts, which execute in the browsers of any users visiting the infected pages. This can lead to session hijacking, theft of sensitive information such as cookies or credentials, unauthorized actions performed on behalf of users, and potential spread of malware. While availability is not directly impacted, the reputational damage and user trust erosion can be significant. Organizations relying on the Email Obfuscate Shortcode plugin are at risk of targeted attacks, especially if contributor accounts are compromised or misused. Since the vulnerability requires authenticated access, the threat is more relevant in environments with multiple contributors or where account compromise is feasible. The medium CVSS score reflects moderate ease of exploitation and significant potential damage, particularly for high-traffic or sensitive websites.

To mitigate CVE-2024-8747, organizations should first check for and apply any official patches or updates from the plugin vendor once available. In the absence of patches, administrators should consider disabling or removing the Email Obfuscate Shortcode plugin to eliminate the attack surface. Restrict contributor-level access strictly to trusted users and audit existing contributor accounts for suspicious activity. Implement Web Application Firewall (WAF) rules to detect and block suspicious shortcode attribute inputs or script injection patterns. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected sites. Regularly scan WordPress sites for XSS vulnerabilities and malicious content injections. Educate content contributors about safe content practices and the risks of injecting untrusted code. Finally, monitor site logs and user reports for signs of exploitation or anomalous behavior related to this vulnerability.