CVE-2024-9165 is a stored cross-site scripting vulnerability classified under CWE-79, affecting the Gift Cards (Gift Vouchers and Packages) plugin for WooCommerce on WordPress. The flaw exists due to insufficient input sanitization and output escaping of SVG file uploads, which allows authenticated users with Author-level access or higher to upload malicious SVG files containing embedded JavaScript. When these SVG files are rendered in the context of the web page, the embedded scripts execute in the browsers of users who view the affected pages, leading to potential session hijacking, privilege escalation, or unauthorized actions. The vulnerability affects all plugin versions up to and including 4.4.4. The attack vector is remote over the network, with low complexity and no user interaction required, but it requires authenticated access at the Author level or above, which is a moderate privilege level in WordPress. The vulnerability has a CVSS 3.1 base score of 6.4, indicating medium severity with partial impact on confidentiality and integrity but no impact on availability. Currently, there are no known exploits in the wild, but the vulnerability poses a significant risk to sites that allow multiple users with elevated privileges to upload SVG files. The lack of patch links suggests that a fix may not yet be publicly available, increasing the urgency for mitigation. This vulnerability is particularly relevant for e-commerce websites using WooCommerce with this plugin, as attackers could leverage it to compromise customer data or site integrity.

The primary impact of CVE-2024-9165 is the potential for attackers with Author-level access to inject persistent malicious scripts into SVG files that execute in the browsers of site visitors and administrators. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, and potential compromise of administrative accounts. For e-commerce sites, this could result in fraudulent transactions, data breaches involving customer information, and reputational damage. Since the vulnerability requires authenticated access, the risk is elevated in environments with multiple content creators or editors. The scope includes all websites using the vulnerable plugin version, which may be substantial given WooCommerce's popularity. Although availability is not impacted, the confidentiality and integrity of data and user sessions are at risk. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as proof-of-concept exploits could emerge. Organizations failing to address this vulnerability may face targeted attacks aiming to leverage the XSS to escalate privileges or conduct phishing campaigns within the site context.

To mitigate CVE-2024-9165, organizations should first check for and apply any available updates or patches from the plugin vendor once released. Until a patch is available, restrict Author-level and higher privileges to trusted users only, minimizing the risk of malicious SVG uploads. Implement strict content security policies (CSP) to limit the execution of unauthorized scripts and reduce the impact of XSS attacks. Disable or restrict SVG file uploads if not essential, or use server-side validation to sanitize SVG content, removing any embedded scripts or potentially dangerous elements. Employ web application firewalls (WAFs) with rules designed to detect and block malicious SVG payloads and XSS attack patterns. Regularly audit user roles and permissions to ensure minimal necessary access. Monitor logs for unusual upload activity or script execution attempts. Educate site administrators and content creators about the risks of uploading untrusted SVG files. Finally, consider isolating or sandboxing SVG rendering to prevent script execution in user browsers.