CVE-2024-9386 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the WordPress plugin 'Exclusive Divi – Divi Preloader, Modules for Divi & Extra Theme' developed by wpmariocom. This vulnerability affects all plugin versions up to and including 1.4. The root cause is insufficient sanitization and output escaping of SVG file uploads, allowing authenticated users with Author-level or higher privileges to upload SVG files containing malicious JavaScript code. When these SVG files are accessed by any user, the embedded scripts execute in the context of the victim's browser, enabling attackers to perform actions such as stealing cookies, session tokens, or executing arbitrary actions on behalf of the user. The vulnerability is exploitable remotely over the network without user interaction beyond viewing the malicious SVG. The CVSS 3.1 base score of 6.4 reflects a medium severity, with attack vector as network, low attack complexity, privileges required at the Author level, no user interaction, and a scope change indicating that the vulnerability affects components beyond the initially vulnerable plugin. While no known exploits are currently reported in the wild, the vulnerability poses a significant risk due to the widespread use of WordPress and the popularity of Divi themes and modules. The lack of patches at the time of disclosure necessitates immediate attention to mitigate potential exploitation.

The impact of CVE-2024-9386 is primarily on confidentiality and integrity, with no direct impact on availability. Successful exploitation allows attackers to execute arbitrary scripts in the context of users visiting the infected SVG files, potentially leading to session hijacking, theft of sensitive information such as cookies or credentials, unauthorized actions performed on behalf of users, and website defacement. Since the vulnerability is stored XSS, the malicious payload persists on the server, increasing the risk and reach of attacks. Organizations using the affected plugin risk compromise of user accounts, erosion of user trust, and potential regulatory consequences if user data is exposed. The requirement for Author-level privileges to upload malicious SVGs limits exploitation to insiders or compromised accounts but does not eliminate risk, especially in environments with multiple content contributors. The scope change in the CVSS vector indicates that the vulnerability affects components beyond the plugin itself, potentially impacting the broader WordPress site and its users. Given WordPress's extensive use globally, the vulnerability could affect a large number of websites, including corporate, e-commerce, and informational sites, amplifying the potential damage.

1. Immediate mitigation involves restricting SVG file uploads to trusted users only or disabling SVG uploads entirely until a patch is available. 2. Implement strict input validation and sanitization on SVG files, removing any embedded scripts or potentially dangerous elements before upload. 3. Employ output encoding and escaping when rendering SVG content to prevent script execution in browsers. 4. Monitor user accounts with Author-level or higher privileges for suspicious activity and enforce strong authentication mechanisms, including multi-factor authentication (MFA). 5. Regularly audit and review uploaded media files for unauthorized or malicious content. 6. Use Web Application Firewalls (WAFs) with rules to detect and block malicious SVG payloads or suspicious script patterns. 7. Stay updated with vendor advisories and apply official patches or updates as soon as they are released. 8. Educate content contributors about the risks of uploading untrusted files and enforce least privilege principles to minimize the number of users with upload capabilities. 9. Consider implementing Content Security Policy (CSP) headers to restrict script execution sources and mitigate the impact of XSS attacks.