CVE-2024-9892 is a stored cross-site scripting vulnerability (CWE-79) in the Add Widget After Content plugin for WordPress, present in all versions up to and including 2.4.6. It allows authenticated users with administrator-level permissions or higher to inject arbitrary web scripts via the plugin's admin settings due to inadequate input sanitization and output escaping. This vulnerability affects multi-site WordPress installations or installations where the unfiltered_html capability is disabled. The vulnerability can lead to script execution in the context of users visiting the injected pages. The CVSS 3.1 base score is 4.4 (AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N), reflecting network attack vector, high attack complexity, high privileges required, no user interaction, scope changed, and limited confidentiality and integrity impact.

An authenticated attacker with administrator privileges can inject malicious scripts that execute in the browsers of users viewing affected pages, potentially leading to limited confidentiality and integrity impacts. This could allow actions such as session hijacking or unauthorized actions within the affected WordPress multi-site environment. There is no indication of availability impact. The vulnerability only affects multi-site installations or those with unfiltered_html disabled, limiting the scope of affected deployments.

No official patch or fix is currently available for this vulnerability. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is released, administrators should restrict access to the plugin settings to trusted users only and consider disabling or removing the Add Widget After Content plugin in multi-site or unfiltered_html-disabled environments. Monitoring vendor channels for updates is recommended.