The vulnerability CVE-2024-12457 affects the 'Chat Support for Viber – Chat Bubble and Chat Button for Gutenberg, Elementor and Shortcode' WordPress plugin up to version 1.7.3. It is a stored cross-site scripting (CWE-79) flaw caused by improper neutralization of input during web page generation. Specifically, the plugin fails to properly sanitize and escape user-supplied attributes in the 'vchat' shortcode, enabling authenticated users with contributor or higher privileges to inject arbitrary JavaScript code. This code executes in the context of any user accessing the infected page, potentially leading to session hijacking or other script-based attacks. The CVSS 3.1 vector indicates network attack vector, low attack complexity, required privileges at the contributor level, no user interaction, scope changed, and low confidentiality and integrity impacts without availability impact. No patch or vendor advisory is currently available to confirm remediation status.

An authenticated attacker with contributor-level access or higher can exploit this vulnerability to inject and store malicious scripts that execute in the browsers of users who visit the affected pages. This can lead to unauthorized actions performed on behalf of users, theft of sensitive information, or other malicious activities enabled by cross-site scripting. The impact is limited to confidentiality and integrity with no availability impact. There are no known exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict contributor-level access to trusted users only and consider disabling or removing the vulnerable plugin if possible. Monitor for updates from the plugin vendor or WordPress security channels to apply any forthcoming patches promptly.