CVE-2024-12328 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, found in the MAS Elementor plugin for WordPress developed by madrasthemes. The vulnerability affects all versions up to and including 1.1.7. It stems from improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of SVG file uploads. Authenticated attackers with Author-level or higher privileges can upload crafted SVG files containing malicious JavaScript code. When any user accesses a page or resource that loads the malicious SVG, the embedded script executes in their browser context. This can lead to session hijacking, unauthorized actions on behalf of users, data theft, or further compromise of the WordPress site. The attack vector is remote over the network, with low complexity, but requires some level of privilege (Author or above). No user interaction is needed beyond accessing the malicious SVG. The vulnerability affects the confidentiality and integrity of the site and its users but does not impact availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The CVSS v3.1 base score is 6.4, indicating medium severity. This vulnerability highlights the risks of insufficient input validation in plugins that handle file uploads and the importance of strict sanitization and escaping of user-supplied content, especially SVGs which can embed scripts.

The primary impact of CVE-2024-12328 is the potential compromise of user confidentiality and site integrity on WordPress installations using the MAS Elementor plugin. Attackers with Author-level access can inject persistent malicious scripts via SVG uploads, which execute in the browsers of any users viewing the affected pages. This can lead to session hijacking, theft of sensitive information such as cookies or credentials, unauthorized actions performed on behalf of users, and defacement or manipulation of site content. While availability is not directly affected, the reputational damage and potential data breaches can have significant operational and financial consequences. Organizations relying on MAS Elementor for content management or e-commerce may face increased risk of targeted attacks, especially if attackers gain Author-level access through compromised accounts or insider threats. The vulnerability's medium severity score reflects the need for timely remediation to prevent exploitation, particularly in environments with multiple users or high traffic. The lack of known exploits in the wild suggests a window for proactive mitigation before widespread attacks occur.

To mitigate CVE-2024-12328, organizations should immediately restrict Author-level and higher privileges to trusted users only, minimizing the risk of malicious SVG uploads. Implement strict monitoring and auditing of file uploads, especially SVG files, to detect suspicious or unauthorized content. Employ web application firewalls (WAFs) with rules designed to detect and block malicious scripts embedded in SVGs. Disable or restrict SVG file uploads if not essential for site functionality. Until an official patch is released, consider applying custom input sanitization filters on SVG uploads to remove script elements or attributes. Educate site administrators and content creators about the risks of uploading untrusted SVG files. Regularly update WordPress core, plugins, and themes to incorporate security fixes once available. Additionally, implement Content Security Policy (CSP) headers to limit script execution sources, reducing the impact of potential XSS attacks. Finally, conduct penetration testing and vulnerability scanning focused on file upload functionalities to identify and remediate similar issues proactively.