CVE-2024-12445 is a stored Cross-Site Scripting (XSS) vulnerability identified in the RightMessage WP plugin for WordPress, specifically affecting all versions up to and including 0.9.7. The vulnerability stems from insufficient sanitization and escaping of user-supplied input in the 'rm_area' shortcode attributes, which allows an authenticated attacker with contributor-level access or higher to inject arbitrary JavaScript code into pages. This malicious code is stored persistently and executed in the context of any user who views the infected page, potentially leading to session hijacking, privilege escalation, or data theft. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and requiring privileges but no user interaction. The scope is changed, indicating the vulnerability affects resources beyond the initially compromised component. No patches or official fixes have been linked yet, and no known exploits are reported in the wild. This vulnerability is significant because it leverages WordPress’s widespread use and the plugin’s role in customizing user experience, making it a valuable target for attackers aiming to compromise website visitors or administrators.

The impact of CVE-2024-12445 is primarily on the confidentiality and integrity of affected WordPress sites using the RightMessage WP plugin. An attacker with contributor-level access can inject malicious scripts that execute in the browsers of users visiting the compromised pages. This can lead to theft of authentication cookies, enabling session hijacking and unauthorized access escalation. Attackers may also manipulate page content or perform actions on behalf of users, potentially compromising site integrity and user trust. Although availability is not directly impacted, the reputational damage and potential data breaches can have significant operational and financial consequences. Organizations relying on RightMessage WP for marketing personalization or user engagement are at risk of targeted attacks, especially if contributor accounts are not tightly controlled. The vulnerability’s exploitation requires authentication, limiting exposure to internal or registered users, but the widespread use of WordPress and common contributor roles increase the attack surface globally.

To mitigate CVE-2024-12445, organizations should first check for and apply any official patches or updates from the RightMessage WP plugin vendor as they become available. In the absence of patches, administrators should restrict contributor-level access to trusted users only and audit existing contributor accounts for suspicious activity. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injections targeting the 'rm_area' shortcode can provide temporary protection. Additionally, site administrators should enforce strict input validation and output encoding practices within custom shortcode implementations if modifying the plugin code. Regular security scanning and monitoring for anomalous script injections or unusual user behavior can help detect exploitation attempts early. Educating content contributors about safe input practices and limiting the use of shortcodes to trusted users further reduces risk. Finally, consider disabling or replacing the RightMessage WP plugin if it is not essential or if no timely patch is available.