CVE-2024-9865 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, found in the EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress. This vulnerability affects all versions up to and including 4.0.4.7. The root cause is insufficient sanitization and escaping of user-supplied input in the 'ep_booking_attendee_fields' fields, which are used during web page generation. An unauthenticated attacker can exploit this flaw by injecting arbitrary JavaScript code into these fields. When a legitimate user accesses the transaction log page for a booking, the malicious script executes in their browser context. This can lead to session hijacking, theft of sensitive information, or unauthorized actions performed on behalf of the user. The vulnerability is remotely exploitable without authentication, but requires the victim to view the affected page, making user interaction necessary. The CVSS 3.1 base score is 6.1, reflecting medium severity with low attack complexity and no privileges required. No public exploits have been reported yet, but the vulnerability poses a significant risk to websites using this plugin, especially those handling sensitive booking and attendee data. The scope is limited to sites running the vulnerable plugin versions, but the impact on confidentiality and integrity can be substantial if exploited.

The primary impact of CVE-2024-9865 is on the confidentiality and integrity of user data on affected WordPress sites. Exploitation allows attackers to execute arbitrary scripts in the context of users viewing booking transaction logs, potentially leading to session hijacking, credential theft, or unauthorized actions such as modifying bookings or extracting sensitive attendee information. This can damage organizational reputation, lead to data breaches, and cause financial losses, especially for businesses relying on the plugin for event management and ticketing. Since the vulnerability is exploitable without authentication, attackers can target any site visitor with access to the transaction logs, increasing the attack surface. However, availability is not impacted, and exploitation requires user interaction. Organizations with high volumes of event bookings or sensitive attendee data are at greater risk. The lack of known exploits in the wild currently reduces immediate threat but does not eliminate the risk of future attacks.

To mitigate CVE-2024-9865, organizations should immediately update the EventPrime plugin to a version that addresses this vulnerability once released by the vendor. Until a patch is available, administrators should restrict access to the transaction log pages to trusted users only, using authentication and role-based access controls to limit exposure. Implementing a Web Application Firewall (WAF) with custom rules to detect and block suspicious input patterns in the 'ep_booking_attendee_fields' can help prevent exploitation. Additionally, site owners should sanitize and validate all user inputs at the application level and ensure output encoding is properly applied to prevent script execution. Regularly monitoring logs for unusual activity related to booking fields and transaction log access can aid in early detection of exploitation attempts. Educating users to avoid clicking suspicious links or accessing untrusted booking logs can reduce risk. Finally, maintaining up-to-date backups and incident response plans will help recover quickly if an attack occurs.