CVE-2024-9456 is a stored cross-site scripting (XSS) vulnerability identified in the WP Awesome Login plugin for WordPress, affecting all versions up to and including 0.4.0. The vulnerability stems from improper neutralization of input during web page generation, specifically related to SVG file uploads. Authenticated users with Author-level access or higher can upload SVG files containing malicious JavaScript payloads due to insufficient sanitization and output escaping of SVG content. When any user accesses the page or resource referencing the malicious SVG, the embedded script executes in their browser context. This can lead to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim user. The vulnerability is exploitable remotely over the network without user interaction beyond viewing the SVG. The CVSS v3.1 base score is 6.4, indicating medium severity with network attack vector, low attack complexity, privileges required at Author level, no user interaction, and a scope change due to affecting other users. No patches or fixes have been linked yet, and no known exploits are reported in the wild. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), a common web application security flaw. This issue highlights the risks of allowing SVG uploads without proper sanitization in WordPress plugins, especially those managing user authentication or login functionality.

The impact of CVE-2024-9456 can be significant for organizations running WordPress sites with the vulnerable WP Awesome Login plugin. Successful exploitation allows attackers with Author-level privileges to inject persistent malicious scripts that execute in the browsers of other users, including administrators. This can lead to theft of authentication cookies, session tokens, or other sensitive information, enabling account takeover or privilege escalation. It may also facilitate further attacks such as phishing, malware distribution, or unauthorized actions performed by compromised users. Although the vulnerability does not directly affect system availability, the compromise of user accounts and data integrity can disrupt business operations, damage reputation, and lead to regulatory compliance issues. Since the attack requires authenticated access at Author level, the risk is higher in environments with multiple content creators or contributors. The vulnerability affects all sites using the plugin worldwide, potentially exposing a broad range of industries relying on WordPress for their web presence.

To mitigate CVE-2024-9456, organizations should take the following specific actions: 1) Immediately restrict or disable SVG file uploads in the WP Awesome Login plugin until a patch is available. 2) Implement strict server-side validation and sanitization of SVG files, removing any embedded scripts or potentially dangerous content before storage or rendering. 3) Apply the principle of least privilege by reviewing and limiting user roles and permissions, ensuring only trusted users have Author-level or higher access. 4) Monitor web server logs and WordPress activity for unusual SVG upload attempts or suspicious user behavior. 5) Educate content creators and administrators about the risks of uploading untrusted SVG files. 6) Stay informed about updates from the plugin vendor or WordPress security advisories and apply patches promptly once released. 7) Consider deploying a web application firewall (WAF) with rules to detect and block malicious SVG payloads or XSS attempts. 8) Regularly audit and update all WordPress plugins and themes to minimize exposure to known vulnerabilities.