CVE-2024-12411 identifies a stored Cross-Site Scripting (XSS) vulnerability in the WordPress plugin WP Ad Guru – Banner ad, Responsive popup, Popup maker, Ad rotator & More, maintained by onetarek. This vulnerability exists in all versions up to and including 2.5.4 due to insufficient sanitization and escaping of the 'page' parameter during web page generation. An unauthenticated attacker can exploit this flaw by injecting arbitrary JavaScript code into the 'page' parameter, which is then stored persistently and executed in the context of any user who visits the affected page. This type of stored XSS can lead to a range of attacks including session hijacking, theft of cookies, defacement, or redirecting users to malicious websites. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS v3.1 base score is 6.1, reflecting medium severity with network attack vector, low attack complexity, no privileges required, but requiring user interaction and impacting confidentiality and integrity with a scope change. No public exploits have been reported yet, but the vulnerability is publicly disclosed and should be addressed promptly. The plugin is widely used in WordPress environments for managing ads and popups, making the potential attack surface significant.

The impact of this vulnerability is primarily on the confidentiality and integrity of user data and the affected website. Attackers can execute arbitrary scripts in the context of users visiting the compromised pages, potentially stealing session cookies, redirecting users to phishing or malware sites, or defacing the website content. This can lead to loss of user trust, reputational damage, and potential legal consequences for organizations handling sensitive user data. Since the vulnerability is exploitable without authentication and remotely over the network, the risk is elevated. However, the requirement for user interaction (visiting the infected page) limits automated exploitation. The scope change in CVSS indicates that the vulnerability can affect components beyond the initially vulnerable plugin, potentially impacting the entire WordPress site. Organizations relying on this plugin for advertising or popup management on high-traffic sites are particularly vulnerable to widespread impact.

1. Monitor the vendor’s official channels for a security patch and apply it immediately once available. 2. Until a patch is released, implement Web Application Firewall (WAF) rules to detect and block malicious payloads targeting the 'page' parameter. 3. Conduct manual input validation and output encoding for the 'page' parameter if custom code or overrides are in place. 4. Restrict user permissions to minimize the ability to inject content, especially for unauthenticated users. 5. Regularly audit and sanitize stored content in the plugin’s database tables to remove any injected scripts. 6. Educate site administrators and users about the risks of clicking suspicious links or visiting untrusted pages. 7. Consider disabling or replacing the plugin with a more secure alternative if immediate patching is not feasible. 8. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on the site.