CVE-2024-9650 is a stored cross-site scripting (XSS) vulnerability identified in the WP Recipe Maker plugin for WordPress, maintained by brechtvds. This vulnerability affects all versions up to and including 9.6.1. The root cause is insufficient sanitization and escaping of the 'tooltip' parameter during web page generation, which allows an authenticated attacker with Contributor-level privileges or higher to inject arbitrary JavaScript code into pages. Because the injected scripts are stored persistently, they execute whenever any user accesses the affected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of users. The vulnerability does not require user interaction beyond visiting the page, but does require the attacker to have authenticated access with contributor or higher permissions, which limits exploitation to insiders or compromised accounts. The CVSS 3.1 base score is 6.5, reflecting network attack vector, low attack complexity, required privileges, no user interaction, and high confidentiality impact but no integrity or availability impact. No official patches or updates have been linked yet, and no known exploits are reported in the wild. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), a common web application security flaw. Given the widespread use of WordPress and the popularity of WP Recipe Maker, this vulnerability could be leveraged for targeted attacks or lateral movement within compromised sites.

The primary impact of CVE-2024-9650 is the compromise of confidentiality through session hijacking, credential theft, or unauthorized actions performed via injected scripts. Attackers with contributor-level access can embed malicious JavaScript that executes in the context of any user viewing the affected pages, including administrators. This can lead to account takeover, data leakage, or further compromise of the WordPress site. While the vulnerability does not directly affect data integrity or availability, the resulting unauthorized actions could indirectly cause data manipulation or site disruption. Organizations running WordPress sites with multiple contributors or public-facing recipe content are at risk, especially if contributor accounts are not tightly controlled. The lack of known exploits reduces immediate risk, but the ease of exploitation once authenticated and the persistent nature of stored XSS make this a significant threat for targeted attacks and insider threats. The vulnerability could also be used as a foothold for broader attacks within an organization's web infrastructure.

To mitigate CVE-2024-9650, organizations should first check for and apply any official patches or updates from the WP Recipe Maker plugin vendor as soon as they become available. In the absence of patches, administrators should restrict contributor-level access strictly to trusted users and review existing contributor accounts for compromise. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injections targeting the 'tooltip' parameter can provide temporary protection. Site administrators should also enable Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Regularly audit and sanitize user-generated content, especially inputs that are rendered on pages, to prevent injection of malicious code. Monitoring logs for unusual contributor activity or unexpected content changes can help detect exploitation attempts early. Finally, educating contributors about secure input practices and the risks of XSS can reduce inadvertent introduction of vulnerabilities.