CVE-2024-12278 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the Booster for WooCommerce plugin for WordPress, which is widely used to enhance WooCommerce functionality. The vulnerability exists in all versions up to and including 7.2.5 due to improper neutralization of input during web page generation. Specifically, the plugin fails to adequately sanitize and escape user-supplied input that is processed through wp_kses, a WordPress function intended to filter HTML content. This insufficiency allows unauthenticated attackers to inject arbitrary JavaScript code into pages that accept user input, such as comment sections or other input fields that rely on wp_kses for sanitization. When a victim visits a page containing the injected script, the malicious code executes in their browser context, potentially leading to session hijacking, data theft, or further exploitation. The vulnerability is remotely exploitable without authentication or user interaction, increasing its risk profile. The CVSS v3.1 base score of 7.2 reflects a high severity, with network attack vector, low attack complexity, no privileges required, no user interaction, and a scope change indicating impact beyond the vulnerable component. Although no known exploits have been reported in the wild, the widespread deployment of WooCommerce and Booster for WooCommerce plugins in e-commerce websites globally makes this vulnerability a significant concern. The lack of available patches at the time of reporting necessitates immediate attention from administrators to apply workarounds or monitor for updates.

The impact of CVE-2024-12278 is significant for organizations using the Booster for WooCommerce plugin, especially those operating e-commerce platforms on WordPress. Successful exploitation allows attackers to execute arbitrary scripts in the context of users visiting affected pages, leading to potential theft of sensitive information such as authentication cookies, personal data, or payment details. This can result in account compromise, unauthorized transactions, or further network infiltration. The vulnerability undermines user trust and can lead to reputational damage, regulatory penalties, and financial losses. Since the attack requires no authentication or user interaction, it can be automated and scaled, increasing the risk of widespread exploitation. Additionally, the scope change in the CVSS vector indicates that the impact extends beyond the plugin itself, potentially affecting the entire WordPress site and its users. Organizations with high traffic e-commerce sites or those handling sensitive customer data are at elevated risk. The absence of known exploits currently provides a window for proactive mitigation, but the threat landscape may evolve rapidly.

To mitigate CVE-2024-12278, organizations should immediately assess their use of the Booster for WooCommerce plugin and upgrade to a patched version once available. In the absence of an official patch, administrators should implement the following specific measures: 1) Disable or restrict user input fields that rely on wp_kses sanitization, such as comments or custom input areas, until a fix is applied. 2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block typical XSS payloads targeting the plugin's input vectors. 3) Conduct thorough input validation and output encoding at the application level, supplementing wp_kses with stricter sanitization libraries or custom filters. 4) Monitor web server and application logs for unusual input patterns or script injection attempts. 5) Educate site administrators and developers about secure coding practices to prevent similar vulnerabilities. 6) Regularly audit installed plugins and themes for updates and security advisories. 7) Consider isolating critical e-commerce functions or deploying Content Security Policy (CSP) headers to limit script execution sources. These targeted actions will reduce the attack surface and protect users until an official patch is released.