CVE-2024-12451 is a stored cross-site scripting vulnerability identified in the proxymis HTML5 chat plugin for WordPress, affecting all versions up to and including 1.04. The root cause is improper neutralization of user-supplied input within the plugin's 'HTML5CHAT' shortcode, where insufficient sanitization and output escaping allow malicious JavaScript code to be stored persistently. Authenticated users with contributor-level permissions or higher can exploit this flaw by injecting arbitrary scripts into pages that utilize the vulnerable shortcode. When other users access these pages, the injected scripts execute in their browsers, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of the victim. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), a common and dangerous web security issue. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and requiring privileges but no user interaction. The scope is changed (S:C) because the vulnerability affects resources beyond the attacker’s privileges, impacting other users. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability was publicly disclosed on January 30, 2025, by Wordfence. This issue is significant for WordPress sites using the proxymis HTML5 chat plugin, especially those allowing contributor-level user roles, as it enables persistent XSS attacks that can undermine site integrity and user trust.

The impact of CVE-2024-12451 is primarily on the confidentiality and integrity of affected WordPress sites and their users. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of the vulnerable site, which can lead to session hijacking, theft of authentication tokens, defacement, redirection to malicious sites, or unauthorized actions performed on behalf of legitimate users. Since the vulnerability is stored XSS, the malicious payload persists and affects all users who visit the compromised pages, amplifying the potential damage. Organizations relying on the proxymis HTML5 chat plugin risk reputational damage, loss of user trust, and potential data breaches. The requirement for contributor-level access limits exploitation to authenticated users, but many WordPress sites allow such roles for content creation or community participation, increasing the attack surface. The vulnerability does not affect availability directly but can indirectly cause service disruption if exploited for defacement or injected with disruptive scripts. The medium CVSS score reflects a moderate but significant threat that should be addressed promptly to prevent exploitation and downstream impacts.

To mitigate CVE-2024-12451, organizations should first check for any official patches or updates from the proxymis plugin developers and apply them immediately once available. In the absence of an official patch, administrators should consider temporarily disabling or removing the HTML5 chat plugin to eliminate the attack vector. Restrict contributor-level access strictly to trusted users and review user roles to minimize the number of accounts capable of injecting malicious content. Implement a Web Application Firewall (WAF) with rules designed to detect and block XSS payloads targeting the 'HTML5CHAT' shortcode or suspicious script injections. Employ content security policies (CSP) to restrict the execution of unauthorized scripts on affected pages. Additionally, perform manual or automated code reviews and input sanitization enhancements on the shortcode processing logic if custom modifications are possible. Regularly audit site content for injected scripts and monitor logs for unusual activity. Educate content contributors about safe input practices and the risks of injecting untrusted code. Finally, maintain regular backups to enable recovery in case of compromise.