CVE-2024-9642 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Editor Custom Color Palette plugin for WordPress, developed by rock4temps. This vulnerability affects all plugin versions up to and including 3.3.7. The root cause is improper neutralization of input during web page generation (CWE-79), specifically due to insufficient sanitization and escaping of SVG file uploads. Authenticated attackers with Author-level access or higher can upload crafted SVG files containing malicious JavaScript payloads. When any user accesses a page or resource that loads the malicious SVG, the embedded script executes in the context of the victim’s browser. This can lead to theft of session cookies, unauthorized actions on behalf of users, or further exploitation within the affected WordPress site. The vulnerability is remotely exploitable over the network without user interaction beyond viewing the SVG. The CVSS v3.1 base score is 6.4, indicating medium severity, with attack vector as network, low attack complexity, privileges required (Author or above), no user interaction, and scope changed due to impact on other components. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability highlights the risks of insufficient input validation in plugins that handle user-uploaded content, especially SVG files which can embed scripts. This issue is critical for WordPress sites using this plugin, particularly those allowing multiple authors or contributors.

The primary impact of CVE-2024-9642 is the potential compromise of user confidentiality and integrity within affected WordPress sites. Attackers with Author-level access can inject persistent malicious scripts that execute in the browsers of site visitors or administrators, enabling session hijacking, credential theft, or unauthorized actions such as content manipulation or privilege escalation. Although availability is not directly impacted, the breach of trust and potential for further exploitation can lead to reputational damage and operational disruption. Organizations relying on the Editor Custom Color Palette plugin expose themselves to targeted attacks, especially if multiple users have elevated privileges. The vulnerability could be leveraged in multi-tenant or collaborative environments to escalate attacks internally. Given WordPress’s widespread use globally, the vulnerability poses a significant risk to websites that have not updated or mitigated this issue. The lack of known exploits in the wild suggests limited current exploitation but also indicates a window of opportunity for attackers to develop weaponized payloads.

To mitigate CVE-2024-9642, organizations should immediately update the Editor Custom Color Palette plugin once a patched version is released by rock4temps. Until a patch is available, restrict upload permissions to trusted users only, ideally limiting SVG uploads or disabling them entirely if not required. Implement web application firewall (WAF) rules to detect and block suspicious SVG payloads or scripts embedded in uploads. Conduct thorough input validation and output encoding on all user-uploaded content, especially SVG files, to neutralize embedded scripts. Review user roles and permissions to minimize the number of users with Author-level or higher access. Monitor logs for unusual upload activity or access patterns to SVG files. Educate site administrators and users about the risks of uploading untrusted SVG content. Consider deploying Content Security Policy (CSP) headers to restrict script execution sources and reduce the impact of potential XSS payloads. Regularly audit WordPress plugins for vulnerabilities and maintain an up-to-date inventory to respond promptly to new threats.