CVE-2024-12077 is a reflected cross-site scripting vulnerability identified in the Booking Calendar and Booking Calendar Pro plugins developed by wpdevart for WordPress. This vulnerability exists due to improper neutralization of user-supplied input in the 'calendar_id' parameter, which is insufficiently sanitized and escaped before being included in web pages. As a result, an attacker can craft a malicious URL containing executable JavaScript code within the 'calendar_id' parameter. When an unsuspecting user clicks this link, the injected script executes in their browser context, potentially allowing the attacker to steal session cookies, perform actions on behalf of the user, or manipulate page content. The vulnerability affects all plugin versions up to 3.2.19 (Booking Calendar) and 11.2.19 (Booking Calendar Pro). The attack vector is remote and requires no authentication, but user interaction is necessary (clicking a malicious link). The CVSS 3.1 base score is 6.1, reflecting medium severity with network attack vector, low attack complexity, no privileges required, user interaction needed, and impact on confidentiality and integrity but not availability. No patches or exploit code are currently publicly available, and no active exploitation has been reported. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation).

The primary impact of this vulnerability is the compromise of user confidentiality and integrity on affected WordPress sites using the vulnerable Booking Calendar plugins. Attackers can execute arbitrary scripts in the context of the victim's browser, potentially leading to session hijacking, theft of sensitive information, phishing attacks, or unauthorized actions performed with the victim's privileges. While availability is not affected, the trustworthiness of the affected websites can be undermined, damaging organizational reputation and user confidence. Since the vulnerability requires user interaction, the scope depends on the attacker's ability to lure users into clicking malicious links, which can be facilitated via phishing emails or social engineering. Organizations relying on these plugins for appointment or booking management, especially those handling sensitive user data or financial transactions, face increased risk. The vulnerability's medium severity suggests it is a significant concern but not an immediate critical threat, though it can be leveraged as part of broader attack campaigns.

Organizations should monitor for official patches from wpdevart and promptly update the Booking Calendar and Booking Calendar Pro plugins to fixed versions once released. In the interim, deploying a web application firewall (WAF) with rules to detect and block reflected XSS attempts targeting the 'calendar_id' parameter can reduce risk. Site administrators should audit their WordPress installations to identify the presence of these plugins and disable or remove them if not essential. Implementing Content Security Policy (CSP) headers can help mitigate the impact of XSS by restricting script execution sources. Educating users to avoid clicking suspicious or unsolicited links, especially those purporting to be from booking or appointment services, is critical. Additionally, reviewing and hardening input validation and output encoding practices in custom code interfacing with these plugins can provide defense in depth. Regular security scanning and monitoring for anomalous activity related to these plugins are recommended.