The LSX Tour Operator plugin for WordPress suffers from a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2024-9851. This vulnerability exists due to improper neutralization of input during web page generation (CWE-79), specifically in the handling of SVG file uploads. All versions up to and including 1.4.9 are affected. Authenticated users with Author-level privileges or higher can upload SVG files containing embedded malicious JavaScript. Because the plugin fails to adequately sanitize and escape SVG content before rendering it on web pages, the embedded scripts execute in the context of any user who views the SVG, including administrators or other privileged users. This can lead to session hijacking, privilege escalation, or unauthorized actions performed on behalf of the victim. The vulnerability has a CVSS 3.1 base score of 6.4, indicating medium severity, with attack vector as network, low attack complexity, privileges required (Author-level), no user interaction needed, and scope changed due to potential impact on other components. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability highlights the risks of insufficient input validation and output encoding in web applications, especially when handling complex file formats like SVG that can embed scripts.

This vulnerability allows authenticated users with Author-level access to inject persistent malicious scripts into the website via SVG uploads. The impact includes potential theft of session cookies, enabling attackers to impersonate other users, including administrators, leading to full site compromise. It can also facilitate unauthorized actions such as content manipulation, data theft, or installation of further malware. Since the scripts execute in the context of any user viewing the SVG, the attack surface includes all site visitors and administrators. This can damage organizational reputation, lead to data breaches, and disrupt business operations. The medium CVSS score reflects that while exploitation requires some privileges, the attack can be performed remotely over the network without user interaction. Organizations relying on the LSX Tour Operator plugin are at risk of targeted attacks, especially if they allow multiple authors or contributors to upload media content.

Organizations should immediately restrict SVG file uploads to trusted users only or disable SVG uploads entirely until a patch is available. Implement strict input validation and sanitization on SVG files, removing any embedded scripts or potentially dangerous elements before upload. Employ output encoding and Content Security Policy (CSP) headers to limit script execution contexts. Monitor user uploads and audit author-level accounts for suspicious activity. Update the LSX Tour Operator plugin promptly once a vendor patch is released. In the interim, consider using web application firewalls (WAFs) with rules to detect and block malicious SVG payloads. Educate content authors about the risks of uploading untrusted files. Regularly review user permissions to minimize the number of users with upload capabilities. Finally, conduct security assessments to identify any exploitation attempts or signs of compromise related to this vulnerability.