CVE-2024-9390 is a medium-severity vulnerability classified as CWE-79 (Cross-Site Scripting, XSS) found in the WordPress plugin RegistrationMagic prior to version 6.0.2.1. The vulnerability arises because the plugin fails to properly sanitize and escape certain settings inputs. This flaw allows users with high privileges, such as administrators, to inject and store malicious scripts within the plugin's settings. Notably, this exploit can be performed even when the WordPress capability 'unfiltered_html' is disabled, such as in multisite environments, which normally restricts the ability to post unfiltered HTML content. The vulnerability requires high privilege (admin) access and user interaction (an admin must save or modify settings containing the malicious payload). The CVSS 3.1 base score is 4.8 (medium), with vector AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, indicating network attack vector, low attack complexity, high privileges required, user interaction required, scope changed, and low impact on confidentiality and integrity, with no impact on availability. There are no known exploits in the wild at this time, and no patches or updates have been linked yet, though the fixed version is 6.0.2.1 or later. The vulnerability could allow an attacker to execute arbitrary JavaScript in the context of the affected site, potentially leading to session hijacking, privilege escalation, or other malicious actions within the admin interface or for other users viewing affected pages.

For European organizations using WordPress sites with the RegistrationMagic plugin, this vulnerability poses a moderate risk. Since exploitation requires administrative privileges, the primary risk is from insider threats or compromised admin accounts. Successful exploitation could lead to persistent XSS attacks that allow attackers to hijack admin sessions, manipulate site content, or perform actions on behalf of administrators. This could result in data leakage, unauthorized changes to site configurations, or further compromise of the web application. In multisite WordPress setups common in larger organizations, the risk is heightened because the vulnerability bypasses the unfiltered_html restriction, potentially affecting multiple sites within a network. Given the widespread use of WordPress in Europe for business, government, and non-profit websites, the vulnerability could impact organizations that rely on RegistrationMagic for form management or user registration workflows. However, the requirement for high privileges and user interaction limits the attack surface primarily to organizations with weaker internal access controls or where admin accounts are exposed to social engineering or phishing attacks.

European organizations should immediately verify if they use the RegistrationMagic plugin and identify the version in use. If the plugin is present and the version is prior to 6.0.2.1, they should prioritize updating to the latest patched version as soon as it becomes available. Until a patch is applied, organizations should restrict administrative access to trusted personnel only and enforce strong authentication mechanisms such as multi-factor authentication (MFA) for all admin accounts to reduce the risk of credential compromise. Additionally, review and limit the number of users with high privileges to minimize potential insider threats. Implement Content Security Policy (CSP) headers to mitigate the impact of XSS by restricting script execution sources. Regularly audit plugin settings and monitor for unusual changes or injected scripts. For multisite environments, extra caution should be taken to monitor and control admin activities across the network. Finally, consider employing web application firewalls (WAFs) that can detect and block common XSS payloads as an additional layer of defense.