CVE-2024-9118 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79 that affects the QS Dark Mode Plugin for WordPress, a popular plugin used to enable dark mode features on websites. The vulnerability exists in all versions up to and including 2.9 due to improper neutralization of input during web page generation, specifically related to SVG file uploads. Authenticated attackers with Author-level privileges or higher can upload SVG files containing malicious JavaScript code. Because the plugin fails to sufficiently sanitize and escape the SVG content, these scripts are stored and executed whenever any user accesses the SVG file on the website. This can lead to the execution of arbitrary scripts in the context of the victim’s browser session, potentially allowing theft of cookies, session tokens, or performing actions on behalf of the user. The vulnerability does not require user interaction beyond viewing the SVG, and the attacker must have at least Author-level access, which is a moderately privileged role in WordPress. The CVSS v3.1 score of 6.4 reflects that the attack can be performed remotely over the network with low complexity, requires privileges, and impacts confidentiality and integrity but not availability. No public exploits are currently known, but the vulnerability is publicly disclosed and documented by Wordfence and the CVE database. The lack of available patches at the time of disclosure increases the urgency for mitigation. This vulnerability highlights the risks of insufficient input validation and output encoding in web plugins handling user-uploaded content, especially SVG files which can embed scripts.

The primary impact of CVE-2024-9118 is on the confidentiality and integrity of affected WordPress sites using the QS Dark Mode Plugin. Successful exploitation allows attackers to execute arbitrary JavaScript in the browsers of users who view the malicious SVG files. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, and potential spread of malware or phishing attacks. Since the attacker requires Author-level access, the threat is significant in environments where multiple users have elevated privileges or where accounts may be compromised. The vulnerability does not affect availability directly but can undermine trust in the affected websites and lead to reputational damage. Organizations relying on this plugin for user experience enhancements face risks of data leakage and unauthorized access. Given WordPress’s widespread use globally, many websites could be exposed, especially those with collaborative content creation workflows. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the potential for future attacks once exploit code becomes available.

To mitigate CVE-2024-9118, organizations should immediately review and restrict user roles to minimize the number of users with Author-level or higher privileges, limiting the potential attackers who can upload malicious SVG files. Administrators should implement strict content upload policies, including disabling SVG uploads if not necessary or employing SVG sanitization tools that remove scripts and unsafe elements before upload. Monitoring and logging SVG file uploads and access can help detect suspicious activity. Applying web application firewalls (WAFs) with rules targeting XSS payloads in SVG files can provide additional protection. Since no official patch is available at disclosure, organizations should follow vendor advisories closely and apply updates promptly once released. Additionally, educating users about the risks of uploading untrusted SVG content and enforcing multi-factor authentication for privileged accounts can reduce exploitation likelihood. Regular security audits of plugins and their configurations are recommended to identify and remediate similar vulnerabilities proactively.