CVE-2024-12120 is a medium-severity Stored Cross-Site Scripting (XSS) vulnerability affecting the Royal Elementor Addons and Templates WordPress plugin developed by wproyal. This vulnerability exists in all versions up to and including 1.7.1017. The flaw arises from improper input sanitization and insufficient output escaping of the 'display_message_text' parameter within the Countdown widget. An authenticated attacker with Contributor-level privileges or higher can exploit this vulnerability by injecting malicious JavaScript code into pages using the vulnerable widget. When other users visit these compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or other malicious activities. The vulnerability does not require user interaction beyond visiting the affected page, and the attack vector is remote over the network. The CVSS v3.1 base score is 5.4, reflecting a medium severity level, with the vector indicating network attack vector, low attack complexity, privileges required (low), no user interaction, unchanged scope, and low impact on confidentiality and integrity, with no impact on availability. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability is classified under CWE-79, which relates to improper neutralization of input during web page generation, a common cause of XSS vulnerabilities.

For European organizations using WordPress sites with the Royal Elementor Addons and Templates plugin, this vulnerability poses a risk of client-side script injection that can compromise user sessions, steal sensitive information, or perform unauthorized actions on behalf of users. Since the exploit requires Contributor-level access, attackers may first need to compromise or register accounts with such privileges, which is feasible in environments with weak user management or insufficient access controls. The impact is particularly significant for organizations that rely on WordPress for customer-facing websites, intranets, or portals where user trust and data confidentiality are critical. Exploitation could lead to reputational damage, data breaches involving personal data protected under GDPR, and potential regulatory penalties. Additionally, the vulnerability could be leveraged as a foothold for further attacks within the network if administrative users are targeted. The absence of a patch increases the urgency for mitigation. Given the widespread use of WordPress across Europe, the threat surface is considerable, especially for sectors such as e-commerce, media, education, and government that frequently use Elementor-based themes and plugins.

European organizations should immediately audit their WordPress installations to identify the presence of the Royal Elementor Addons and Templates plugin and determine the version in use. Until an official patch is released, organizations should consider the following mitigations: 1) Restrict Contributor-level and higher privileges strictly to trusted users, implementing the principle of least privilege and reviewing user roles and permissions regularly. 2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the 'display_message_text' parameter. 3) Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 4) Monitor logs and user activity for signs of unauthorized content injection or anomalous behavior. 5) Consider temporarily disabling or replacing the vulnerable widget if feasible. 6) Educate site administrators and content creators about the risks of XSS and safe content practices. 7) Stay alert for official patches or updates from the vendor and apply them promptly once available. 8) Use security plugins that can sanitize inputs or outputs as an additional layer of defense.