CVE-2024-9455 is a stored Cross-Site Scripting (XSS) vulnerability identified in the WP Cleanup and Basic Functions plugin for WordPress, maintained by guillaume-lostweb. The vulnerability exists in all versions up to and including 2.2.1 due to improper neutralization of input during web page generation, specifically related to SVG file uploads. Authenticated users with Author-level access or higher can upload SVG files containing malicious JavaScript payloads because the plugin fails to sufficiently sanitize and escape SVG content before rendering it on web pages. When other users or administrators view the affected SVG files, the embedded scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress environment. The CVSS 3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No public exploits have been reported yet, but the vulnerability poses a significant risk in multi-user WordPress sites where authors can upload SVG files. The flaw is categorized under CWE-79, highlighting improper input neutralization during page generation. Mitigation requires patching the plugin once updates are available or implementing strict SVG upload restrictions and content sanitization controls.

The impact of CVE-2024-9455 is primarily on the confidentiality and integrity of WordPress sites using the vulnerable plugin. Successful exploitation allows attackers with Author-level privileges to inject persistent malicious scripts that execute in the context of other users, including administrators. This can lead to session hijacking, theft of sensitive information, unauthorized content modification, or further privilege escalation. Since WordPress powers a significant portion of the web, sites with multiple authors or contributors are at higher risk. The vulnerability does not directly affect availability but can indirectly cause service disruption through compromised administrative accounts or defacement. Organizations relying on this plugin for site maintenance or cleanup functions may face reputational damage and data breaches if the vulnerability is exploited. The requirement for authenticated access limits the attack surface but does not eliminate risk, especially in environments with many contributors or weak account controls.

To mitigate CVE-2024-9455, organizations should: 1) Monitor for and apply plugin updates from the vendor as soon as they are released to address the vulnerability. 2) Restrict SVG file uploads to trusted users only, ideally limiting upload permissions to administrators. 3) Implement server-side SVG sanitization using specialized libraries (e.g., SVG Sanitizer) to remove potentially malicious scripts before storage or rendering. 4) Employ Content Security Policy (CSP) headers to restrict script execution sources and reduce the impact of injected scripts. 5) Regularly audit user roles and permissions to minimize the number of users with Author-level or higher access. 6) Educate users about the risks of uploading untrusted SVG files and enforce strict input validation on all file uploads. 7) Consider disabling SVG uploads entirely if not required. 8) Monitor logs and web traffic for unusual activity related to SVG file access or script execution. These steps go beyond generic advice by focusing on controlling SVG upload vectors and enforcing layered defenses.