CVE-2024-9066 identifies a stored cross-site scripting (XSS) vulnerability in the dale668 Marketing and SEO Booster plugin for WordPress, present in all versions up to and including 1.9.10. The flaw is due to improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of SVG file uploads. Authenticated users with Author-level permissions or higher can upload malicious SVG files containing embedded JavaScript. When other users access pages displaying these SVG files, the embedded scripts execute in their browsers, enabling attackers to perform actions such as session hijacking, data theft, or unauthorized actions within the WordPress site context. The vulnerability leverages the SVG format's capability to embed scripts, which the plugin fails to properly sanitize. The CVSS 3.1 base score is 6.4, indicating medium severity, with an attack vector over the network, low attack complexity, requiring privileges (Author or higher), no user interaction, and a scope change due to potential impact on other users. No patches or fixes are currently linked, and no known exploits in the wild have been reported. This vulnerability highlights the risk of insufficient input validation in plugins handling file uploads, especially those allowing SVG content, which can embed executable code.

The impact of CVE-2024-9066 is significant for organizations using the dale668 Marketing and SEO Booster plugin on WordPress sites. An attacker with Author-level access can inject persistent malicious scripts via SVG uploads, which execute in the browsers of any users viewing the affected pages. This can lead to session hijacking, unauthorized actions performed with the victim's privileges, data exfiltration, or defacement of the website. Because the vulnerability affects all versions up to 1.9.10 and requires only Author-level access, it poses a risk from insider threats or compromised accounts. The scope of impact extends beyond the attacker to any user who views the malicious SVG, potentially including administrators or site visitors. Although no known exploits are reported in the wild, the ease of exploitation and the widespread use of WordPress and this plugin could lead to targeted attacks. The vulnerability could undermine trust in affected websites, cause data breaches, and disrupt normal operations.

To mitigate CVE-2024-9066, organizations should immediately restrict SVG file uploads to trusted users only and consider disabling SVG uploads entirely if not essential. Implement strict input validation and sanitization for SVG files, using libraries that safely parse and remove executable content from SVGs before upload or display. Upgrade the Marketing and SEO Booster plugin to a patched version once available or apply vendor-provided patches promptly. Employ a Web Application Firewall (WAF) with rules to detect and block malicious SVG payloads and suspicious script injections. Monitor user accounts with Author-level or higher privileges for suspicious activity and enforce strong authentication mechanisms to reduce risk from compromised accounts. Additionally, review and limit user permissions to the minimum necessary. Conduct regular security audits and scanning for XSS vulnerabilities in plugins and themes. Educate site administrators about the risks of uploading untrusted SVG files and the importance of plugin updates.