CVE-2024-12045 is a stored cross-site scripting vulnerability identified in the Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress, specifically affecting all versions up to and including 5.0.9. The vulnerability stems from improper neutralization of input (CWE-79) in the 'maker title' field of the Google Maps block, where insufficient input sanitization and output escaping allow an authenticated attacker with administrator privileges to inject arbitrary JavaScript code. This malicious code is stored persistently and executed in the context of any user who views the compromised page. The vulnerability is limited to multisite WordPress installations or those with the unfiltered_html capability disabled, which restricts direct HTML editing by users. The CVSS 3.1 score of 4.4 reflects a medium severity, considering the attack vector is network-based, requires high attack complexity, and privileges of an administrator, but does not require user interaction. The scope is changed (S:C) because the vulnerability affects resources beyond the attacker’s privileges, potentially impacting other users. The impact includes partial confidentiality and integrity loss, such as session hijacking, defacement, or unauthorized actions performed on behalf of users. No known public exploits have been reported yet, and no official patches were linked at the time of publication. The vulnerability was assigned by Wordfence and published on January 8, 2025.

This vulnerability poses a significant risk to organizations running multisite WordPress installations with the Essential Blocks plugin, especially where unfiltered_html is disabled. An attacker with administrator access can inject persistent malicious scripts that execute in the browsers of any user visiting the infected page, potentially leading to session hijacking, credential theft, unauthorized actions, or defacement. While exploitation requires administrator privileges, which limits the attack surface, the impact on confidentiality and integrity can be substantial if an attacker gains such access. The vulnerability does not affect availability directly but can undermine trust and lead to reputational damage. Organizations with large user bases or sensitive data accessible via affected WordPress sites are at higher risk. The lack of known exploits in the wild reduces immediate threat but does not eliminate the risk of future exploitation. The medium CVSS score reflects moderate urgency but should not lead to complacency given the potential for privilege escalation and lateral movement within compromised environments.

To mitigate CVE-2024-12045, organizations should: 1) Monitor for and apply official patches or updates from the plugin vendor as soon as they become available. 2) Restrict administrator access strictly to trusted personnel and enforce strong authentication mechanisms such as MFA to reduce the risk of credential compromise. 3) For multisite installations, review and limit the use of the Essential Blocks plugin or disable the Google Maps block if not essential. 4) Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 5) Regularly audit and sanitize all user-generated content, especially inputs that are stored and rendered on pages. 6) Enable security plugins that can detect and block XSS payloads or anomalous administrator behavior. 7) Educate administrators on the risks of injecting untrusted content and the importance of input validation. 8) Consider isolating or segmenting WordPress multisite environments to limit the scope of potential compromise. These steps go beyond generic advice by focusing on access control, input validation, and layered defenses tailored to the plugin’s context.