CVE-2024-12457 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79 affecting the 'Chat Support for Viber – Chat Bubble and Chat Button for Gutenberg, Elementor and Shortcode' WordPress plugin developed by themeatelier. The vulnerability arises from insufficient sanitization and escaping of user-supplied attributes passed through the plugin's 'vchat' shortcode. Authenticated attackers with contributor-level permissions or higher can inject arbitrary JavaScript code into pages by manipulating shortcode attributes. Because the injected scripts are stored persistently, they execute whenever any user accesses the compromised page, enabling a range of attacks such as session hijacking, privilege escalation, or delivering malware. The vulnerability affects all plugin versions up to and including 1.7.2. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and privileges required. The scope is changed as the vulnerability impacts other users beyond the attacker. No user interaction is required for exploitation once the malicious content is injected. No patches are currently linked in the provided data, and no known exploits have been reported in the wild. The vulnerability is significant for WordPress sites using this plugin, especially those allowing contributor-level users to add or edit content.

The impact of CVE-2024-12457 is primarily on the confidentiality and integrity of affected WordPress sites. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of the vulnerable site, which can lead to theft of session cookies, user credentials, or other sensitive information. It can also enable attackers to perform actions on behalf of other users, deface websites, or redirect users to malicious sites. Since the vulnerability requires contributor-level access, it may be exploited by malicious insiders or compromised accounts. The stored nature of the XSS means the malicious payload persists and affects all visitors to the infected page, increasing the potential reach of the attack. Although availability is not directly impacted, reputational damage and loss of user trust can be significant. Organizations relying on this plugin for customer engagement or support may face operational disruptions and increased risk of further compromise if attackers leverage this vulnerability as a foothold.

To mitigate CVE-2024-12457, organizations should first check for and apply any official patches or updates from themeatelier addressing this vulnerability. If no patch is available, temporarily disabling the plugin or removing the 'vchat' shortcode usage can reduce risk. Restrict contributor-level permissions strictly and audit user roles to minimize the number of users who can inject content. Implement a Web Application Firewall (WAF) with custom rules to detect and block suspicious shortcode attribute inputs or script tags. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. Regularly scan WordPress sites for XSS vulnerabilities and malicious content injections. Educate content contributors about safe input practices and monitor site content for unexpected changes. Finally, consider isolating critical WordPress instances or using security plugins that enhance input validation and output escaping.