CVE-2024-8917 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, affecting the AnWP Football Leagues plugin for WordPress in all versions up to and including 0.16.7. The vulnerability stems from improper neutralization of input during web page generation, specifically related to SVG file uploads. Authenticated users with Author-level access or higher can upload SVG files containing malicious JavaScript code due to insufficient input sanitization and lack of proper output escaping. When other users view pages containing these SVG files, the embedded scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or other malicious actions. The CVSS 3.1 base score is 6.4, reflecting a network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), with a scope change (S:C), and impacts on confidentiality and integrity but not availability. The vulnerability is significant because SVG files are commonly used for scalable graphics and often trusted, making this an effective vector for persistent XSS attacks. No known public exploits or patches are currently available, but the vulnerability is publicly disclosed and should be addressed promptly.

The impact of CVE-2024-8917 is primarily on the confidentiality and integrity of affected WordPress sites using the AnWP Football Leagues plugin. Successful exploitation allows an attacker with Author-level privileges to inject persistent malicious scripts that execute in the context of other users’ browsers. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, and potential defacement or redirection attacks. Since the vulnerability requires authenticated access, the risk is somewhat mitigated but remains significant in environments where multiple users have elevated privileges or where account compromise is possible. The scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the initially compromised component, potentially impacting the entire site. Organizations relying on this plugin for football league management or fan engagement may face reputational damage, data breaches, and user trust erosion if exploited.

To mitigate CVE-2024-8917, organizations should immediately restrict SVG file upload permissions to only highly trusted users or temporarily disable SVG uploads if possible. Implement strict input validation and sanitization on all uploaded SVG files, ensuring that any embedded scripts or potentially malicious content are removed or neutralized. Employ Content Security Policy (CSP) headers to limit the execution of inline scripts and reduce the impact of XSS attacks. Monitor user roles and audit accounts with Author-level or higher privileges to detect suspicious activity. Regularly update the AnWP Football Leagues plugin as soon as the vendor releases a patch addressing this vulnerability. Additionally, consider using web application firewalls (WAFs) with rules targeting SVG-based XSS payloads. Educate site administrators and users about the risks of uploading untrusted SVG content and enforce the principle of least privilege for user roles.