CVE-2024-12060 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the WP Media Optimizer (.webp) plugin for WordPress, developed by francescosganga. The vulnerability exists in all versions up to and including 1.4.0 due to insufficient sanitization and escaping of user-supplied input in the parameters 'wpmowebp-css-resources' and 'wpmowebp-js-resources'. These parameters are used during web page generation, and the lack of proper neutralization allows attackers to inject arbitrary JavaScript code. Because the vulnerability is reflected, the malicious script is embedded in a crafted URL or request and executed when a victim clicks the link, causing the script to run in the victim's browser context. This can lead to theft of session cookies, redirection to malicious sites, or other client-side attacks. The vulnerability does not require authentication, increasing its risk profile, but does require user interaction (clicking a link). The CVSS 3.1 base score is 6.1 (medium severity), with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and low impact on confidentiality and integrity, with no impact on availability. No public exploits or patches are currently available, but the vulnerability is published and should be addressed promptly to prevent potential exploitation.

The impact of CVE-2024-12060 primarily affects the confidentiality and integrity of user sessions on WordPress sites using the vulnerable WP Media Optimizer plugin. Successful exploitation can lead to theft of session cookies, enabling attackers to impersonate users or administrators, potentially leading to unauthorized access or privilege escalation. It can also facilitate phishing attacks by redirecting users to malicious sites or injecting deceptive content. Although availability is not impacted, the compromise of user trust and potential data leakage can have significant reputational and operational consequences for affected organizations. Since the vulnerability is exploitable without authentication but requires user interaction, widespread exploitation is possible through social engineering campaigns. Organizations running WordPress sites with this plugin are at risk of targeted or opportunistic attacks, especially if they host sensitive user data or provide critical services. The scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the vulnerable component, potentially impacting the entire web application context.

To mitigate CVE-2024-12060, organizations should first check for updates or patches from the plugin developer and apply them immediately once available. In the absence of an official patch, administrators should consider disabling or uninstalling the WP Media Optimizer (.webp) plugin to eliminate the attack surface. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious payloads targeting the 'wpmowebp-css-resources' and 'wpmowebp-js-resources' parameters can provide temporary protection. Additionally, site owners should enforce Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. Educating users about the risks of clicking suspicious links and monitoring web server logs for unusual requests targeting these parameters can help detect attempted exploitation. Regular security audits and employing security plugins that scan for XSS vulnerabilities can further enhance protection. Finally, developers should review and improve input validation and output encoding practices in the plugin code to prevent similar issues in future releases.