CVE-2024-4439: Unauthenticated Stored Cross-Site Scripting Vulnerability in WordPress Core

A significant security vulnerability has been identified in WordPress, the world’s most popular content management system, which could potentially allow attackers to take control of affected websites. The vulnerability, tracked as CVE-2024-4439 and rated at a severity of 7.2 on the Common Vulnerability Scoring System (CVSS), pertains to a stored Cross-Site Scripting (XSS) flaw in the WordPress Core.

The flaw specifically impacts the Avatar block within WordPress versions up to 6.5.2. This block, introduced in version 6.0, is utilized to display the avatars of post authors or comment authors depending on the context. The vulnerability arises due to insufficient output escaping of user display names, enabling both authenticated and unauthenticated attackers to inject harmful web scripts.

For authenticated users, particularly those with contributor-level access or higher, the exploit can lead to the injection of arbitrary web scripts into pages that will execute when a user views an affected page. Unauthenticated attackers, on the other hand, can exploit the vulnerability in pages where the comment block is present, displaying the comment author’s avatar.

The core issue stems from the improper order of operations in the escaping and formatting of user-supplied data. Here’s a glance at the affected code snippet:

$label = 'aria-label="' . sprintf( esc_attr__( '(%s author archive, opens in a new tab)' ), $author_name ) . '"';
$label = 'aria-label="' . sprintf( esc_attr__( '(%s website link, opens in a new tab)' ), $comment->comment_author ) . '"';