CVE-2024-12446 identifies a stored Cross-Site Scripting vulnerability in the 'Post to Pdf' WordPress plugin developed by gravitymaster97. The vulnerability arises from insufficient input sanitization and output escaping in the 'gmptp_single_post' shortcode, which processes user-supplied attributes. Because these inputs are not properly neutralized, authenticated users with contributor-level permissions or higher can inject arbitrary JavaScript code into pages generated by the plugin. When other users access these pages, the malicious scripts execute in their browsers, potentially allowing attackers to steal session cookies, perform actions on behalf of victims, or deface content. The vulnerability affects all versions up to and including 1.0 of the plugin. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) indicates that the attack can be launched remotely over the network with low complexity, requires privileges (authenticated contributor or above), does not require user interaction, and impacts confidentiality and integrity with a scope change. No patches or fixes are currently linked, and no known exploits have been reported in the wild. This vulnerability is classified under CWE-79, which is a common and critical web application security weakness related to improper neutralization of input during web page generation.

The primary impact of this vulnerability is the potential for attackers with contributor-level access to inject persistent malicious scripts into WordPress pages, which execute in the browsers of users who view those pages. This can lead to theft of authentication cookies, enabling session hijacking and unauthorized access escalation. Attackers could also manipulate page content or perform actions on behalf of other users, undermining data integrity. Although availability is not directly affected, the compromise of user accounts and site integrity can cause significant reputational damage and operational disruption. Organizations relying on the 'Post to Pdf' plugin risk exposure to targeted attacks, especially if contributor accounts are compromised or misused. The medium CVSS score reflects a moderate but significant risk, particularly in environments with multiple contributors or where sensitive data is handled via WordPress. The scope change indicates that the vulnerability can affect components beyond the initially compromised user context, increasing the risk profile.

Since no official patches are currently linked, organizations should immediately restrict contributor-level access to trusted users only and audit existing contributor accounts for suspicious activity. Disable or remove the 'Post to Pdf' plugin if it is not essential to reduce attack surface. Implement Web Application Firewall (WAF) rules to detect and block malicious payloads targeting the 'gmptp_single_post' shortcode parameters. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Monitor logs for unusual POST requests or shortcode usage patterns indicative of exploitation attempts. Educate content contributors about the risks of injecting untrusted content. Once a patch or update is released by the vendor, apply it promptly. Additionally, consider scanning the site for injected scripts and cleaning any compromised pages to prevent persistent exploitation.