CVE-2024-29917 in Compact WP Audio Player Plugin
Summary
by MITRE • 03/27/2024
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Compact WP Audio Player allows Stored XSS.This issue affects Compact WP Audio Player: from n/a through 1.9.9.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/12/2025
The CVE-2024-29917 vulnerability represents a critical cross-site scripting flaw in the Compact WP Audio Player plugin for WordPress systems. This vulnerability falls under the CWE-79 category of Cross-Site Scripting, specifically classified as a stored XSS attack vector that allows malicious actors to inject persistent malicious scripts into web pages viewed by other users. The vulnerability exists within the plugin's input handling mechanisms during web page generation processes, where user-supplied data is not properly sanitized or escaped before being rendered in HTML output contexts.
The technical exploitation of this vulnerability occurs when an attacker can inject malicious JavaScript code through input fields that are subsequently stored within the plugin's database or configuration settings. When other users access web pages that display content generated by the affected plugin, their browsers execute the malicious scripts in the context of the vulnerable website, potentially leading to session hijacking, data theft, or further compromise of the affected system. The vulnerability is present in all versions of the Compact WP Audio Player plugin through version 1.9.9, indicating that the improper input neutralization has existed for an extended period without adequate protection mechanisms.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform a wide range of malicious activities including credential theft through session cookie harvesting, redirection to malicious websites, defacement of content, and establishment of backdoors for persistent access. Attackers can leverage this vulnerability to gain unauthorized access to user accounts, manipulate audio player configurations, or even escalate privileges if the affected WordPress installation has administrative users. The stored nature of this XSS attack means that the malicious payload remains active even after the initial injection, continuously affecting all users who encounter the compromised content.
Organizations using the Compact WP Audio Player plugin should immediately implement multiple layers of defense to mitigate this vulnerability. The primary mitigation involves updating to the latest available version of the plugin where the XSS vulnerability has been patched and input sanitization has been properly implemented. Additionally, administrators should implement Content Security Policy headers to limit script execution contexts, employ web application firewalls to detect and block malicious input patterns, and conduct regular security audits of all installed WordPress plugins. The vulnerability also highlights the importance of following secure coding practices such as input validation, output encoding, and the principle of least privilege in plugin development, aligning with ATT&CK framework techniques that emphasize credential access and persistence mechanisms through web application vulnerabilities.