CVE-2024-12042 is a vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) affecting the inspireui MStore API plugin for WordPress, which facilitates the creation of native Android and iOS apps on the cloud. The flaw exists in the profile picture upload functionality, where the plugin fails to properly validate the file types being uploaded. Authenticated users with subscriber-level privileges or higher can exploit this by uploading HTML files containing arbitrary JavaScript code. These malicious scripts are stored on the server and executed whenever any user accesses the uploaded file, resulting in a stored cross-site scripting (XSS) attack. The vulnerability affects all plugin versions up to and including 4.16.4. The CVSS 3.1 base score is 5.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges and user interaction, and impacting confidentiality and integrity with no effect on availability. No patches have been officially released yet, and no known exploits are currently reported in the wild. The vulnerability’s exploitation could lead to session hijacking, user impersonation, or unauthorized actions within the affected WordPress environment, especially since the plugin is widely used for mobile app backend integration.

The primary impact of this vulnerability is the potential for stored XSS attacks, which can compromise user confidentiality and integrity by stealing session tokens, redirecting users to malicious sites, or performing unauthorized actions on behalf of users. Since the vulnerability requires authenticated access at subscriber level or above, attackers with minimal privileges can escalate their impact significantly. This can lead to broader compromise of the WordPress site, including administrative accounts if targeted carefully. Organizations using the MStore API plugin for mobile app backend services risk exposing their user base to phishing, data theft, and reputational damage. Additionally, attackers could leverage this vulnerability to implant persistent malicious scripts affecting all users who view the infected profile pictures. Although availability is not directly impacted, the indirect consequences of trust erosion and potential data breaches can be severe. The vulnerability’s network attack vector and low complexity make it relatively easy to exploit once an attacker has valid credentials, increasing the risk for affected organizations.

To mitigate CVE-2024-12042, organizations should immediately restrict profile picture uploads to safe file types by implementing strict server-side validation that only permits image formats such as JPEG, PNG, or GIF, explicitly blocking HTML and script files. Employing content security policies (CSP) can help limit the impact of any injected scripts by restricting script execution sources. Additionally, applying least privilege principles to user roles can reduce the risk by limiting subscriber-level users’ ability to upload files if possible. Monitoring and logging upload activities for suspicious file types or anomalous behavior is recommended to detect exploitation attempts early. Until an official patch is released, consider disabling the profile picture upload feature or replacing the plugin with a secure alternative. Web application firewalls (WAFs) configured to detect and block XSS payloads in uploads can provide an additional layer of defense. Regularly updating WordPress and all plugins, and subscribing to vendor security advisories, will ensure timely application of future patches.