CVE-2024-12162 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the Video & Photo Gallery plugin for Ultimate Member, a WordPress plugin widely used to enhance user profiles with multimedia galleries. The vulnerability arises from improper neutralization of input during web page generation, specifically through the 'page' parameter. This parameter is insufficiently sanitized and escaped before being included in the HTML output, allowing attackers to inject malicious JavaScript code. Because the vulnerability is reflected, the malicious payload is embedded in a crafted URL that, when clicked by a user, causes the injected script to execute in the context of the victim's browser session. The attacker does not need any authentication to exploit this flaw, but successful exploitation requires user interaction, such as clicking a malicious link. The CVSS 3.1 base score of 6.1 reflects a medium severity level, with network attack vector, low attack complexity, no privileges required, user interaction needed, and a scope change indicating that the vulnerability can affect resources beyond the vulnerable component. The impact includes partial loss of confidentiality and integrity, such as theft of cookies, session tokens, or manipulation of displayed content. No patches or official fixes have been linked yet, and no known exploits are reported in the wild, but the vulnerability is publicly disclosed and could be targeted by attackers. This vulnerability affects all versions up to and including 1.1.1 of the plugin, which is commonly installed on WordPress sites that use the Ultimate Member plugin for user profile enhancements.

The primary impact of CVE-2024-12162 is the potential compromise of user data confidentiality and integrity on affected WordPress sites. Attackers can exploit this vulnerability to execute arbitrary scripts in the context of a victim's browser, enabling theft of session cookies, credentials, or other sensitive information. This can lead to account takeover, unauthorized actions on behalf of users, or distribution of malware through the compromised site. For organizations, this can result in reputational damage, loss of user trust, and potential regulatory penalties if personal data is exposed. Since the vulnerability is exploitable without authentication but requires user interaction, phishing or social engineering campaigns could be used to lure victims. The scope change in the CVSS vector suggests that the impact could extend beyond the plugin itself, potentially affecting other components or user data managed by the site. Although no active exploits are known, the public disclosure increases the risk of exploitation attempts. Websites that rely heavily on the affected plugin for multimedia galleries and user engagement are particularly at risk, especially if they have a large user base or handle sensitive user information.

To mitigate CVE-2024-12162, organizations should first check for updates or patches from the plugin vendor and apply them promptly once available. In the absence of an official patch, administrators can implement web application firewall (WAF) rules to detect and block malicious payloads targeting the 'page' parameter. Input validation and output encoding should be enforced at the application level to sanitize user-supplied data rigorously. Site administrators should also educate users about the risks of clicking on suspicious links and consider implementing Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Disabling or removing the vulnerable plugin temporarily can be a last resort if immediate patching is not possible. Regular security audits and monitoring for unusual activity or attempted exploitation attempts should be conducted. Additionally, leveraging security plugins that provide XSS protection and ensuring WordPress core and other plugins are up to date will reduce the overall attack surface.