CVE-2024-9208 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the Enable Accessibility plugin for WordPress, developed by upress. The vulnerability exists due to improper neutralization of user-supplied input during web page generation, specifically through the use of WordPress functions add_query_arg and remove_query_arg without appropriate escaping or sanitization of URL parameters. This flaw affects all versions of the plugin up to and including version 1.4.1. An attacker can exploit this vulnerability by crafting a malicious URL containing executable JavaScript code and tricking a user into clicking it. Because the plugin fails to properly escape these inputs, the injected script executes in the context of the victim's browser, potentially allowing theft of session cookies, redirection to malicious sites, or other unauthorized actions. The vulnerability does not require authentication but does require user interaction (clicking a link). The CVSS v3.1 base score is 6.1, reflecting medium severity with network attack vector, low attack complexity, no privileges required, user interaction required, and impacts on confidentiality and integrity but not availability. No public exploits are currently known, but the vulnerability is publicly disclosed and should be considered a risk for websites using this plugin. The CWE classification is CWE-79, which corresponds to improper neutralization of input leading to XSS.

The primary impact of CVE-2024-9208 is on the confidentiality and integrity of affected websites and their users. Successful exploitation allows attackers to execute arbitrary scripts in the context of the victim's browser, which can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of the user, and potential redirection to malicious websites. While the vulnerability does not directly affect availability, the resulting compromise can lead to reputational damage, loss of user trust, and potential data breaches. For organizations, this can mean exposure of user credentials, personal data, and other sensitive information. Since the vulnerability is exploitable without authentication but requires user interaction, phishing or social engineering campaigns could be used to maximize impact. Given the widespread use of WordPress and the Enable Accessibility plugin, many websites globally could be affected, especially those that have not updated or applied mitigations. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, as attackers may develop exploits following public disclosure.

To mitigate CVE-2024-9208, organizations should immediately update the Enable Accessibility plugin to a version where the vulnerability is patched once available. In the absence of an official patch, administrators should implement strict input validation and output encoding on all URL parameters handled by the plugin, particularly those manipulated via add_query_arg and remove_query_arg functions. Employing a Web Application Firewall (WAF) with rules to detect and block reflected XSS payloads targeting this plugin can provide an additional layer of defense. Website owners should also educate users about the risks of clicking suspicious links and implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Regular security audits and monitoring for unusual activity related to the plugin can help detect exploitation attempts early. Finally, disabling or removing the plugin if it is not essential can eliminate the attack surface.