CVE-2024-12024 is a stored cross-site scripting (XSS) vulnerability identified in the EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress, affecting all versions up to and including 4.0.5.3. The root cause is insufficient sanitization and escaping of user-supplied input in the em_ticket_category_data and em_ticket_individual_data parameters, which are used during web page generation. This flaw allows unauthenticated attackers to inject arbitrary JavaScript payloads that are stored persistently and executed whenever an administrative user accesses the compromised page. The attack vector requires the "Guest Submissions" feature to be enabled, which allows unauthenticated users to submit ticket-related data. Because administrative users typically have elevated privileges, successful exploitation can lead to session hijacking, credential theft, or unauthorized actions performed with admin rights. The vulnerability has a CVSS 3.1 base score of 7.2, reflecting network attack vector, no privileges required, no user interaction, and a scope change due to impact on administrative users. No patches have been linked yet, and no known exploits are reported in the wild. The vulnerability is classified under CWE-79, highlighting improper neutralization of input during web page generation. This issue underscores the importance of rigorous input validation and output encoding in web applications, especially those handling user-generated content accessible by privileged users.

The primary impact of this vulnerability is on the confidentiality and integrity of administrative user sessions and data within WordPress sites using the affected plugin with guest submissions enabled. Attackers can execute arbitrary JavaScript in the context of admin users, potentially leading to theft of authentication cookies, unauthorized administrative actions, or deployment of further malware. This can compromise the entire WordPress installation and any connected systems or data. Although availability is not directly affected, the resulting compromise can lead to site defacement, data breaches, or loss of trust. Organizations relying on EventPrime for event management, ticketing, and bookings may face operational disruption and reputational damage. Since exploitation requires no authentication and no user interaction beyond admin page access, the risk is elevated in environments where guest submissions are enabled and administrative users frequently access the plugin’s pages.

1. Immediately disable the "Guest Submissions" feature if it is not essential, as it is disabled by default and required for exploitation. 2. Monitor for plugin updates or patches from the vendor (metagauss) and apply them promptly once available. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting em_ticket_category_data and em_ticket_individual_data parameters. 4. Restrict administrative access to the WordPress backend via IP whitelisting or VPN to reduce exposure. 5. Educate administrative users to be cautious when accessing event or ticket pages and monitor for unusual behavior. 6. Conduct regular security audits and scanning for XSS vulnerabilities in plugins and themes. 7. Consider using Content Security Policy (CSP) headers to limit the impact of injected scripts. 8. Backup WordPress sites regularly to enable quick recovery if compromise occurs. 9. Review and harden WordPress user roles and permissions to minimize risk if an account is compromised.