CVE-2024-9072 identifies a stored Cross-Site Scripting vulnerability in the GDPR-Extensions-com Consent Manager plugin for WordPress, present in all versions up to and including 1.0.0. The vulnerability stems from improper neutralization of input during web page generation, specifically related to SVG file uploads. Authenticated users with Author-level access or higher can upload SVG files containing malicious JavaScript payloads. Due to insufficient sanitization and output escaping, these scripts are stored and later executed in the context of any user who views the SVG file, potentially including administrators or other privileged users. This can lead to theft of session cookies, unauthorized actions, or further compromise of the WordPress site. The vulnerability requires authentication but no additional user interaction beyond viewing the malicious SVG. The CVSS 3.1 score of 6.4 reflects a medium severity with network attack vector, low attack complexity, and privileges required. The scope is changed as the vulnerability affects multiple users who access the SVG content. No patches or fixes are currently published, and no known exploits have been observed in the wild. The vulnerability is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation), a common and impactful web security flaw. This issue highlights the risks of allowing file uploads without rigorous validation and the importance of sanitizing SVG content, which can embed scripts.

The impact of CVE-2024-9072 is significant for organizations using the GDPR-Extensions-com Consent Manager plugin on WordPress sites. Successful exploitation allows authenticated users with Author-level privileges or higher to inject persistent malicious scripts via SVG uploads. These scripts execute in the browsers of any users viewing the SVG, potentially leading to session hijacking, privilege escalation, unauthorized actions, or data theft. Since the vulnerability affects stored content, it can be leveraged to compromise multiple users over time. The confidentiality and integrity of user sessions and site data are at risk, although availability is not directly impacted. The requirement for authenticated access limits the attack surface but does not eliminate risk, especially in environments with many contributors or where Author-level access is granted liberally. Organizations handling sensitive user data or operating in regulated environments (e.g., GDPR compliance) face reputational damage and potential regulatory penalties if exploited. The absence of known exploits reduces immediate risk but also means defenders must proactively mitigate before active attacks emerge.

To mitigate CVE-2024-9072, organizations should immediately review and restrict user privileges, ensuring only trusted users have Author-level or higher access. Implement strict controls on file uploads, particularly SVG files, by disabling SVG uploads if not essential or by using plugins that sanitize SVG content to remove embedded scripts. Monitor and audit uploaded files for suspicious content. Employ Web Application Firewalls (WAFs) with rules targeting XSS payloads in SVG files. Regularly update WordPress core, plugins, and themes, and monitor the GDPR-Extensions-com plugin vendor for patches or updates addressing this vulnerability. If possible, temporarily disable or replace the vulnerable plugin until a fix is available. Educate content contributors about the risks of uploading untrusted files. Additionally, implement Content Security Policy (CSP) headers to restrict script execution origins, reducing the impact of injected scripts. Conduct security testing and code reviews focusing on input validation and output escaping for all user-generated content.