CVE-2024-9615 is a reflected cross-site scripting (XSS) vulnerability identified in the BulkPress plugin for WordPress, affecting all versions up to and including 0.3.5. The root cause is the use of WordPress's add_query_arg function without appropriate escaping of user-supplied input when generating URLs. This improper neutralization of input (CWE-79) allows an unauthenticated attacker to craft malicious URLs that, when visited by a user, execute arbitrary JavaScript in the context of the vulnerable site. The vulnerability is reflected, meaning the malicious script is embedded in a URL and executed immediately upon user interaction, such as clicking a link. The attack does not require authentication but does require user interaction. The CVSS v3.1 base score is 6.1, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, but requiring user interaction. The impact includes potential theft of cookies, session tokens, or other sensitive information accessible via the browser, as well as possible manipulation of site content or actions performed on behalf of the user. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability affects the BulkPress plugin, which is used to bulk import posts and pages in WordPress, a widely deployed content management system.

The vulnerability allows attackers to execute arbitrary scripts in the context of the vulnerable website, potentially leading to session hijacking, theft of sensitive user data, or unauthorized actions performed on behalf of authenticated users. For organizations, this can result in compromised user accounts, defacement, or redirection to malicious sites, damaging reputation and trust. Since the vulnerability is exploitable without authentication but requires user interaction, phishing or social engineering campaigns could be used to lure victims. The scope includes any WordPress site using the BulkPress plugin up to version 0.3.5, which may be significant given WordPress's global popularity. While availability is not impacted, the confidentiality and integrity of user data and site content are at risk. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as public disclosure may prompt attackers to develop exploits.

Administrators should immediately verify if their WordPress installations use the BulkPress plugin and identify the version. Since no official patch links are provided, users should monitor the vendor's announcements for updates or patches addressing this vulnerability. In the interim, applying web application firewall (WAF) rules to detect and block suspicious query parameters or script injection attempts can reduce risk. Site owners should implement Content Security Policy (CSP) headers to restrict script execution sources, mitigating the impact of injected scripts. Educating users to avoid clicking suspicious links and employing anti-phishing measures can reduce successful exploitation. Additionally, plugin usage should be reviewed; if BulkPress is not essential, consider disabling or uninstalling it until a fix is available. Regularly updating WordPress core and plugins remains critical to minimize exposure to known vulnerabilities.