CVE-2024-12435 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the Compare Products for WooCommerce plugin for WordPress, specifically in all versions up to and including 3.2.1. The vulnerability stems from improper neutralization of user-supplied input in the 's_feature' parameter during web page generation, classified under CWE-79. This insufficient input sanitization and lack of proper output escaping allow unauthenticated attackers to inject arbitrary JavaScript code into web pages. When a victim clicks on a maliciously crafted URL containing the payload in the 's_feature' parameter, the injected script executes in the context of the victim's browser. This can lead to theft of session cookies, user impersonation, or other malicious client-side actions. The vulnerability is exploitable remotely without authentication but requires user interaction (clicking a link). The CVSS v3.1 base score is 6.1, reflecting medium severity, with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:R), scope changed (S:C), and impacts on confidentiality and integrity (C:L/I:L) but no impact on availability (A:N). Currently, no public exploits or active exploitation in the wild have been reported. The vulnerability affects a widely used WordPress plugin that enhances e-commerce functionality, making it a relevant concern for online retailers using WooCommerce. Since no patch links are provided yet, users must monitor vendor advisories for updates.

The primary impact of this vulnerability is on the confidentiality and integrity of user data within affected WooCommerce sites. Successful exploitation can lead to session hijacking, allowing attackers to impersonate legitimate users, including administrators or customers. This can result in unauthorized access to sensitive information such as personal data, payment details, or order history. Additionally, attackers could perform actions on behalf of victims, potentially leading to fraudulent transactions or defacement of the website. Although availability is not directly impacted, the reputational damage and loss of customer trust can have significant business consequences. Given WooCommerce's extensive use in e-commerce worldwide, a large number of online stores could be exposed, increasing the risk of widespread phishing campaigns leveraging this vulnerability. The requirement for user interaction limits automated exploitation but does not eliminate risk, especially in targeted attacks or social engineering campaigns.

To mitigate this vulnerability, organizations should prioritize updating the Compare Products for WooCommerce plugin to a version that addresses the issue once released by the vendor. Until a patch is available, administrators can implement strict input validation and output encoding on the 's_feature' parameter to prevent script injection. Employing Web Application Firewalls (WAFs) with rules targeting reflected XSS patterns can help detect and block malicious payloads. Site owners should also educate users and staff about the risks of clicking suspicious links and encourage the use of security headers such as Content Security Policy (CSP) to restrict script execution sources. Regular security audits and monitoring for unusual user activity can help detect exploitation attempts early. Additionally, limiting plugin usage to trusted sources and minimizing unnecessary plugins reduces the attack surface.