CVE-2024-12120 is a stored cross-site scripting vulnerability identified in the Royal Elementor Addons and Templates plugin for WordPress, specifically affecting the Countdown widget's display_message_text parameter. This vulnerability stems from insufficient input sanitization and output escaping, allowing authenticated users with Contributor-level privileges or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The vulnerability affects all versions up to and including 1.7.1017. The CVSS 3.1 base score is 5.4, reflecting a medium severity with network attack vector, low attack complexity, and no user interaction required. The scope is unchanged, and the impact affects confidentiality and integrity but not availability. No public exploits have been reported yet, but the vulnerability poses a risk especially in environments where multiple users have contributor or higher roles. The lack of output escaping in a commonly used widget makes this a significant concern for WordPress sites using this plugin. The vulnerability was published in May 2025 and has been enriched by CISA, indicating recognition by US cybersecurity authorities.

The primary impact of CVE-2024-12120 is on the confidentiality and integrity of affected WordPress sites. Attackers with contributor-level access can inject persistent malicious scripts that execute in the browsers of site visitors and administrators. This can lead to session hijacking, theft of sensitive information such as cookies or credentials, unauthorized actions performed with victim privileges, and potential site defacement or redirection to malicious sites. While availability is not directly impacted, the reputational damage and loss of user trust can be significant. Organizations with multiple content contributors or editors are particularly vulnerable, as the attack requires authenticated access but only at a low privilege level. The widespread use of WordPress and Elementor-based plugins means a large attack surface exists globally. Without mitigation, attackers could leverage this vulnerability to establish footholds, escalate privileges, or conduct further attacks within compromised environments.

To mitigate CVE-2024-12120, organizations should first check for and apply any official patches or updates from the wproyal vendor once available. In the absence of a patch, administrators should restrict Contributor-level access to trusted users only and audit existing users for unnecessary privileges. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injections targeting the display_message_text parameter can provide temporary protection. Site owners should also enable Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Regularly scanning the site for injected scripts and monitoring logs for suspicious activity is recommended. Additionally, educating content contributors about safe input practices and the risks of injecting untrusted content can reduce exploitation likelihood. Finally, consider disabling or replacing the vulnerable Countdown widget if it is not essential to site functionality until a fix is released.