CVE-2024-9585 is a stored cross-site scripting vulnerability identified in the Image Map Pro – Drag-and-drop Builder for Interactive Images WordPress plugin, versions up to and including 6.0.20. The vulnerability stems from improper neutralization of input during web page generation (CWE-79), specifically in the 'save_project' function. This function fails to adequately sanitize and escape user-supplied attributes, allowing authenticated users with contributor-level or higher permissions to inject arbitrary JavaScript code via specially crafted shortcodes. When any user accesses a page containing the injected shortcode, the malicious script executes in their browser context. This can lead to a range of attacks including session hijacking, privilege escalation, defacement, or distribution of malware. The vulnerability requires authentication at contributor level or above but does not require user interaction beyond page access. The CVSS v3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, privileges required, no user interaction, and impact on confidentiality and integrity but not availability. No public exploits are currently known, and no official patches have been linked yet. The vulnerability affects all versions of the plugin up to 6.0.20, which is widely used in WordPress sites for creating interactive images with drag-and-drop functionality.

The primary impact of CVE-2024-9585 is the potential for attackers with contributor-level access to inject persistent malicious scripts into web pages, which execute in the browsers of any users viewing those pages. This can compromise user sessions, steal sensitive information such as cookies or credentials, and potentially allow attackers to perform actions on behalf of victims. For organizations, this can lead to data breaches, reputational damage, and loss of user trust. Since contributor-level users can exploit this, insider threats or compromised contributor accounts pose a significant risk. The vulnerability does not affect availability directly but can lead to integrity and confidentiality breaches. Websites relying on the Image Map Pro plugin for interactive content are particularly vulnerable, especially if they allow multiple contributors or editors. The scope includes any WordPress site using the affected plugin versions, which can be substantial given WordPress's market share. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits once the vulnerability is public.

Organizations should immediately review user roles and permissions, limiting contributor-level access to trusted users only. Until an official patch is released, consider disabling or removing the Image Map Pro plugin if contributor-level users are present. Implement additional input validation and output encoding at the application or web server level to mitigate script injection risks. Employ Web Application Firewalls (WAFs) with rules to detect and block suspicious shortcode patterns or script injections related to this plugin. Monitor logs for unusual activity from contributor accounts and audit changes to pages containing interactive images. Educate contributors about safe content practices and the risks of injecting arbitrary code. Once a patch is available, prioritize its deployment. Additionally, consider implementing Content Security Policy (CSP) headers to restrict execution of unauthorized scripts. Regularly update WordPress core and plugins to reduce exposure to similar vulnerabilities.