CVE-2024-8959 identifies a stored Cross-Site Scripting (XSS) vulnerability in the WP Adminify – Custom WordPress Dashboard, Login and Admin Customizer plugin, which is widely used to customize WordPress admin interfaces. The vulnerability exists in all plugin versions up to and including 4.0.1.6. It stems from improper neutralization of input during web page generation (CWE-79), specifically insufficient sanitization and escaping of SVG file uploads. Authenticated users with Author-level or higher privileges can upload crafted SVG files containing malicious JavaScript payloads. When these SVG files are accessed by any user, the embedded scripts execute in the context of the victim’s browser, potentially allowing attackers to steal cookies, perform actions on behalf of the victim, or manipulate site content. The vulnerability requires no user interaction beyond viewing the malicious SVG. The CVSS 3.1 base score of 6.4 reflects that the attack vector is network-based, with low complexity, requiring privileges but no user interaction, and impacts confidentiality and integrity with a scope change (cross-user impact). No patches or fixes are currently linked, and no known exploits in the wild have been reported, indicating a window for proactive mitigation. This vulnerability highlights the risk of insufficient input validation in file upload features, especially for SVGs which can embed scripts.

The impact of CVE-2024-8959 is significant for organizations using the WP Adminify plugin, particularly those that allow multiple users with Author-level or higher privileges to upload content. Successful exploitation can lead to session hijacking, unauthorized actions performed under victim user contexts, defacement, and potential lateral movement within the WordPress environment. Confidentiality is affected as attackers can steal authentication tokens or sensitive data accessible via the browser. Integrity is compromised through unauthorized content manipulation. Availability is not directly impacted. Because the vulnerability requires authenticated access, the risk is somewhat limited to environments with multiple trusted users or compromised accounts. However, in multi-user WordPress sites, especially those with contributors or editors, this can be a critical vector for privilege escalation and persistent compromise. The lack of user interaction required for exploitation increases the threat as any user viewing the malicious SVG is at risk. Organizations with high-value WordPress sites, including e-commerce, media, and enterprise portals, face reputational and operational risks if exploited.

To mitigate CVE-2024-8959, organizations should immediately update the WP Adminify plugin to a patched version once available. In the absence of an official patch, administrators should restrict SVG file uploads to trusted users only or disable SVG uploads entirely. Implement server-side input validation and sanitization for SVG files, removing any embedded scripts or potentially malicious content before storage or display. Employ Content Security Policy (CSP) headers to limit script execution contexts and reduce XSS impact. Monitor user roles and permissions to minimize the number of users with Author-level or higher privileges. Regularly audit uploaded files for suspicious content. Additionally, consider using security plugins that detect and block XSS payloads or anomalous file uploads. Educate users about the risks of uploading untrusted files and enforce strong authentication and session management controls to limit exploitation scope.