CVE-2024-9884 identifies a stored Cross-Site Scripting (XSS) vulnerability in the T(-) Countdown plugin for WordPress, versions up to and including 2.4.8. The vulnerability stems from insufficient input sanitization and output escaping of user-supplied attributes within the plugin's 'tminus' shortcode. This flaw allows authenticated attackers with contributor-level access or higher to inject arbitrary JavaScript code into pages or posts. Because the malicious script is stored in the content, it executes whenever any user accesses the compromised page, potentially affecting administrators, editors, and visitors. The vulnerability is classified under CWE-79, which relates to improper neutralization of input during web page generation. The CVSS 3.1 score of 6.4 reflects a medium severity, with an attack vector over the network, low attack complexity, requiring privileges (PR:L), no user interaction, and a scope change (S:C). The impact includes limited confidentiality and integrity loss but no availability impact. No patches or exploit code are currently publicly available, and no known exploitation in the wild has been reported. The vulnerability is significant because WordPress is a widely used CMS, and plugins like T(-) Countdown are common. Attackers exploiting this flaw could perform actions such as session hijacking, defacement, or redirecting users to malicious sites. The requirement for contributor-level access limits the attack surface but does not eliminate risk, especially on sites with multiple contributors or less restrictive user management policies.

The vulnerability allows attackers with contributor-level access to inject persistent malicious scripts into WordPress pages, which execute in the context of any user viewing those pages. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, or distribution of malware. While the attack requires authentication, many WordPress sites have multiple contributors or allow user registrations that could be abused. The scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the initially compromised component, potentially impacting site-wide confidentiality and integrity. The absence of availability impact reduces the risk of denial-of-service but does not mitigate the risk of data compromise or reputational damage. Organizations relying on this plugin may face increased risk of targeted attacks, especially if they have high-value content or user bases. The medium severity score reflects a moderate but actionable risk that should be addressed promptly to prevent exploitation.

1. Immediately restrict contributor-level user privileges to trusted individuals only and review existing contributor accounts for suspicious activity. 2. Disable or remove the T(-) Countdown plugin if it is not essential to reduce the attack surface. 3. Monitor WordPress pages and posts for unusual or suspicious shortcode usage, especially the 'tminus' shortcode, and sanitize or remove any suspicious content. 4. Implement Web Application Firewall (WAF) rules to detect and block attempts to inject or execute malicious scripts via shortcodes. 5. Encourage the plugin vendor to release a security patch and apply it promptly once available. 6. Educate site administrators and contributors on secure content management practices and the risks of XSS vulnerabilities. 7. Regularly audit user roles and permissions to ensure least privilege principles are enforced. 8. Consider deploying Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on the site. 9. Backup site data regularly to enable recovery in case of compromise. 10. Stay informed about updates from the WordPress security community regarding this vulnerability.