CVE-2024-8804 is a stored cross-site scripting (XSS) vulnerability identified in the Code Embed plugin for WordPress, developed by dartiss. This vulnerability affects all versions up to and including 2.4. The root cause is improper neutralization of input during web page generation, specifically within the plugin's script embed functionality. Authenticated users with contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into pages. Because the plugin does not sufficiently restrict who can embed scripts, these malicious scripts are stored persistently and executed in the context of any user who views the affected page, including administrators and other privileged users. This can lead to session hijacking, privilege escalation, defacement, or distribution of malware. The CVSS v3.1 score is 6.4 (medium severity), reflecting that the attack vector is network-based, requires low attack complexity, and privileges of a contributor-level user, but does not require user interaction. The scope is changed as the vulnerability affects all users viewing the injected content. No known public exploits have been reported yet, but the vulnerability's presence in a widely used WordPress plugin makes it a significant risk. The lack of an official patch at the time of publication necessitates immediate mitigation steps by site administrators.

The primary impact of CVE-2024-8804 is the compromise of confidentiality and integrity of user sessions and data on affected WordPress sites. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of any user visiting the infected page, potentially stealing cookies, session tokens, or other sensitive information. This can lead to account takeover, unauthorized actions performed on behalf of users, and defacement of website content. The vulnerability does not directly impact availability but can indirectly cause service disruptions if exploited for further attacks or if administrators disable affected functionality. Organizations relying on the Code Embed plugin risk reputational damage, loss of user trust, and potential regulatory consequences if user data is compromised. The ease of exploitation by authenticated contributors makes it a significant threat in environments with multiple content editors or contributors, such as news sites, blogs, and corporate portals. The widespread use of WordPress globally amplifies the potential scale of impact.

1. Immediately review and restrict contributor-level user permissions to only trusted individuals until a patch is available. 2. Disable or remove the Code Embed plugin if it is not essential to reduce the attack surface. 3. Implement strict content security policies (CSP) to limit the execution of unauthorized scripts on the website. 4. Monitor and audit embedded scripts and page content for suspicious or unauthorized code injections regularly. 5. Educate content contributors about the risks of embedding untrusted scripts or code. 6. Apply any official patches or updates from the plugin vendor as soon as they are released. 7. Use web application firewalls (WAF) with rules designed to detect and block XSS payloads targeting this plugin. 8. Consider implementing multi-factor authentication (MFA) for all users with contributor-level access or higher to reduce the risk of compromised accounts. 9. Backup website data frequently to enable quick restoration if exploitation occurs.