The WP Dispensary plugin for WordPress, widely used for managing dispensary menus, suffers from a stored cross-site scripting vulnerability identified as CVE-2024-12444. This vulnerability exists in all versions up to and including 4.5.0 due to improper neutralization of input during web page generation, specifically within the 'wpd_menu' shortcode. The root cause is insufficient sanitization and escaping of user-supplied attributes, which allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. Because the injected scripts are stored persistently, they execute in the context of any user who views the affected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability has a CVSS v3.1 base score of 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges (contributor or above), no user interaction, and impacting confidentiality and integrity with a scope change. No patches or fixes are currently linked, and no active exploitation has been reported. The vulnerability highlights the risk of insufficient input validation in WordPress plugins, especially those that allow user-generated content or shortcode attributes to be rendered without proper sanitization.

If exploited, this vulnerability can lead to unauthorized script execution in the browsers of users visiting affected pages, potentially resulting in session hijacking, credential theft, defacement, or unauthorized actions performed with the victim's privileges. Since the vulnerability requires contributor-level access, attackers who have compromised or obtained such accounts can leverage this flaw to escalate their impact across the site and its users. The scope change indicates that the vulnerability can affect components beyond the initially compromised plugin, potentially impacting the broader WordPress environment. Organizations relying on WP Dispensary for their dispensary menus or related content risk reputational damage, data leakage, and user trust erosion if the vulnerability is exploited. Although no known exploits are currently reported, the medium severity and ease of exploitation by authenticated users make it a significant risk for websites with multiple contributors or less stringent access controls.

Organizations should immediately review user roles and permissions to ensure that only trusted users have contributor-level or higher access. Implement strict access controls and monitor for suspicious contributor activity. Until an official patch is released, consider disabling or removing the WP Dispensary plugin if it is not essential. If the plugin is critical, apply manual input sanitization and output escaping in the shortcode rendering code as a temporary mitigation. Employ Web Application Firewalls (WAFs) with custom rules to detect and block malicious script injections targeting the 'wpd_menu' shortcode. Regularly audit plugin versions and subscribe to vendor security advisories for timely updates. Additionally, educate content contributors on secure content practices and monitor logs for unusual behavior indicative of exploitation attempts.