CVE-2024-12439 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Marketplace Items plugin for WordPress, developed by lumiblog. The vulnerability arises from improper neutralization of input during web page generation, specifically within the plugin's 'marketplace' shortcode. All versions up to and including 1.5.5 are affected. The root cause is insufficient sanitization and escaping of user-supplied attributes, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing unauthorized actions on their behalf. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and requiring privileges (authenticated contributor or above). The scope is changed because the vulnerability affects other users beyond the attacker. No user interaction is required for exploitation once the malicious script is stored. There are no known exploits in the wild at the time of publication, and no official patches have been linked yet. This vulnerability highlights the risk of insufficient input validation in WordPress plugins, especially those that allow user-generated content to be rendered dynamically.

The primary impact of CVE-2024-12439 is the potential compromise of user confidentiality and integrity on affected WordPress sites. Attackers with contributor-level access can inject persistent malicious scripts that execute in the browsers of site visitors, including administrators and other users. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed with victim privileges, and potential site defacement or redirection to malicious sites. Although availability is not directly impacted, the trustworthiness and security posture of the affected website can be severely damaged. Organizations relying on the Marketplace Items plugin may face reputational damage, data breaches, and increased risk of further exploitation if attackers leverage this vulnerability as an initial foothold. The requirement for authenticated access limits the attack surface but does not eliminate risk, especially in environments where contributor access is widely granted or compromised. The vulnerability affects all sites using the plugin, which may include e-commerce, content marketplaces, or community-driven platforms, increasing the potential scope of impact globally.

To mitigate CVE-2024-12439, organizations should first check for and apply any official patches or updates from the lumiblog Marketplace Items plugin as soon as they become available. In the absence of patches, administrators should restrict contributor-level access to trusted users only and review existing user permissions to minimize the number of users who can exploit this vulnerability. Implementing a Web Application Firewall (WAF) with rules to detect and block suspicious script injections in the 'marketplace' shortcode parameters can provide temporary protection. Additionally, site owners should audit content generated via the plugin for suspicious scripts and sanitize or remove any untrusted inputs manually. Employing Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Regular security scanning and monitoring for unusual activity or changes in plugin-generated pages are recommended. Finally, educating contributors on secure content practices and monitoring for privilege escalation attempts will reduce the likelihood of exploitation.