CVE-2024-9023 identifies a stored Cross-Site Scripting (XSS) vulnerability in the WP-WebAuthn plugin for WordPress, specifically affecting all versions up to and including 1.3.1. The vulnerability stems from insufficient sanitization and output escaping of user-supplied attributes in the plugin's wwa_login_form shortcode. Authenticated users with contributor-level privileges or higher can exploit this flaw by injecting arbitrary JavaScript code into pages that utilize this shortcode. Once injected, the malicious scripts execute in the context of any user who accesses the affected page, potentially compromising user sessions, stealing sensitive data, or performing unauthorized actions on behalf of users. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No public exploits have been reported yet, but the vulnerability poses a significant risk due to the common use of WordPress and the plugin's role in authentication workflows. The lack of official patches at the time of reporting necessitates immediate attention from administrators to mitigate potential exploitation.

The impact of CVE-2024-9023 is primarily on the confidentiality and integrity of WordPress sites using the WP-WebAuthn plugin. Exploitation allows authenticated attackers with contributor-level access to inject persistent malicious scripts, which execute in the browsers of any users visiting the compromised pages. This can lead to session hijacking, theft of authentication tokens, unauthorized actions performed with the victim's privileges, defacement, or distribution of malware. Since the vulnerability affects authentication-related functionality, successful exploitation could undermine site security and user trust. The requirement for contributor-level access limits the attack surface to insiders or compromised accounts but does not eliminate risk, especially on sites with multiple contributors or less stringent access controls. The scope change in CVSS indicates that the vulnerability can affect resources beyond the initially vulnerable component, potentially impacting the entire WordPress site. Organizations worldwide relying on this plugin for WebAuthn-based authentication are at risk of targeted attacks, data breaches, and reputational damage.

1. Immediately restrict contributor-level and higher permissions to trusted users only, minimizing the risk of malicious script injection. 2. Monitor and audit user-generated content, especially pages using the wwa_login_form shortcode, for suspicious or unexpected scripts. 3. Implement additional input validation and output encoding at the application or web server level to neutralize potentially malicious inputs. 4. Use Web Application Firewalls (WAFs) with custom rules to detect and block typical XSS payloads targeting this plugin. 5. Encourage plugin developers or maintainers to release a security patch promptly; apply updates as soon as they become available. 6. Consider temporarily disabling or replacing the WP-WebAuthn plugin with alternative authentication solutions until a fix is released. 7. Educate site administrators and contributors about the risks of injecting untrusted content and enforce secure coding and content management practices. 8. Regularly back up site data and configurations to enable recovery in case of compromise.