CVE-2024-9702 is a stored cross-site scripting vulnerability classified under CWE-79, found in the Social Rocket – Social Sharing Plugin for WordPress. This vulnerability affects all versions up to and including 1.3.4. The root cause is insufficient sanitization and output escaping of user-supplied attributes in the 'socialrocket-floating' shortcode. Authenticated attackers with contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into pages. When other users visit these pages, the malicious scripts execute in their browsers, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of the victim. The vulnerability does not require user interaction beyond visiting the infected page and does not require higher privileges than contributor-level, which is a relatively low barrier in WordPress environments. The CVSS v3.1 score of 6.4 reflects a medium severity with network attack vector, low attack complexity, and privileges required. No public exploits have been reported yet, but the vulnerability poses a significant risk due to the widespread use of WordPress and the plugin. The vulnerability’s scope is confined to websites using this plugin, but the impact can extend to all users visiting affected pages. The lack of a patch at the time of reporting necessitates immediate mitigation steps by administrators.

The impact of CVE-2024-9702 is primarily on the confidentiality and integrity of affected WordPress sites and their users. Exploitation allows attackers to execute arbitrary scripts in the context of the vulnerable site, which can lead to session hijacking, theft of sensitive information such as cookies or credentials, defacement of web pages, and potentially unauthorized actions performed on behalf of legitimate users. Since the vulnerability requires contributor-level access, attackers who have compromised or gained such access can leverage this flaw to escalate their impact. The availability impact is minimal as the vulnerability does not directly cause denial of service. However, the reputational damage and potential data breaches can be significant for organizations relying on affected sites. Given WordPress’s global popularity and the plugin’s usage, organizations worldwide face risk, especially those with multiple contributors or less stringent access controls. The absence of known exploits in the wild reduces immediate risk but does not eliminate it, as attackers may develop exploits once the vulnerability becomes widely known.

1. Immediately restrict contributor-level and higher privileges to trusted users only, minimizing the risk of malicious input injection. 2. Monitor and audit user-generated content, especially content involving the 'socialrocket-floating' shortcode, for suspicious or unexpected scripts. 3. Implement Web Application Firewall (WAF) rules to detect and block common XSS payloads targeting this plugin’s shortcode parameters. 4. Until an official patch is released, consider disabling the Social Rocket plugin or removing the vulnerable shortcode from all pages. 5. Educate content contributors on safe content practices and the risks of injecting untrusted code. 6. Regularly update WordPress and all plugins to their latest versions once a patch addressing this vulnerability is available. 7. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected sites. 8. Use security plugins that can detect and alert on suspicious script injections or modifications in WordPress content.