CVE-2024-12047 is a reflected Cross-Site Scripting (XSS) vulnerability classified under CWE-79 found in the WP Compress – Instant Performance & Speed Optimization plugin for WordPress, developed by smartersite. The vulnerability affects all versions up to and including 6.30.03. It stems from insufficient input sanitization and output escaping of the 'custom_server' parameter, which is used during web page generation. An attacker can craft a malicious URL containing a payload in this parameter. When a victim clicks this URL, the injected script executes in their browser context, potentially allowing theft of cookies, session tokens, or other sensitive information, as well as manipulation of the displayed content. The vulnerability does not require authentication but does require user interaction (clicking a link). The CVSS 3.1 base score is 6.1, indicating a medium severity with network attack vector, low attack complexity, no privileges required, user interaction required, and impacts on confidentiality and integrity but not availability. No public exploits have been reported yet, but the vulnerability is publicly disclosed and should be addressed promptly. The plugin is used to optimize WordPress site performance, so it is likely deployed on many websites globally, increasing the potential attack surface.

The primary impact of this vulnerability is on the confidentiality and integrity of user data on affected WordPress sites. Successful exploitation can lead to theft of session cookies, enabling account hijacking, or manipulation of website content to conduct phishing or deliver malware. Although availability is not impacted, the reputational damage and loss of user trust can be significant for organizations. Since the plugin is designed for performance optimization, it is often used on high-traffic sites, increasing the risk of widespread exploitation. Attackers can leverage this vulnerability to target site visitors, potentially leading to broader compromise of user accounts or distribution of malicious payloads. The lack of authentication requirement lowers the barrier for attackers, but the need for user interaction limits automated exploitation. Organizations relying on this plugin without mitigation expose their users and themselves to these risks.

Organizations should immediately update the WP Compress plugin to a patched version once available from the vendor. Until a patch is released, administrators can mitigate risk by implementing Web Application Firewall (WAF) rules that detect and block suspicious input patterns in the 'custom_server' parameter. Input validation and output encoding should be enforced at the application level if custom modifications are possible. Additionally, site owners should educate users about the risks of clicking unknown or suspicious links. Monitoring web server logs for unusual requests containing the 'custom_server' parameter can help detect attempted exploitation. Disabling or removing the plugin temporarily is a last-resort mitigation if patching or WAF rules are not feasible. Regular security audits and vulnerability scanning should be conducted to identify similar issues proactively.