CVE-2024-12458 is a stored cross-site scripting (XSS) vulnerability identified in the Smart PopUp Blaster plugin for WordPress, affecting all versions up to and including 1.4.3. The vulnerability stems from insufficient sanitization and escaping of user-supplied input in the 'spb-button' shortcode attributes. This flaw allows authenticated attackers with contributor-level permissions or higher to inject arbitrary JavaScript code into pages generated by the plugin. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions on behalf of the victim. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS v3.1 base score is 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, privileges required at the contributor level, no user interaction needed, and a scope change due to the impact on other users. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk in environments where multiple users have contributor or higher access. The plugin’s widespread use in WordPress sites increases the potential attack surface, especially for sites that allow multiple contributors or guest authors. The vulnerability does not affect availability but can compromise confidentiality and integrity by enabling script injection and subsequent malicious activities. The lack of a patch link suggests that users should monitor vendor updates closely or apply manual mitigations to sanitize inputs and restrict contributor privileges until a fix is available.

The primary impact of CVE-2024-12458 is the potential compromise of user confidentiality and integrity on affected WordPress sites. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of other users, potentially leading to session hijacking, theft of sensitive information, unauthorized actions, or defacement. This can erode user trust, damage brand reputation, and expose organizations to regulatory compliance risks, especially if personal data is compromised. Since the vulnerability requires authenticated access at the contributor level, sites with multiple contributors or guest authors are at higher risk. The scope change in the CVSS vector indicates that the vulnerability affects resources beyond the attacker’s privileges, increasing the severity of the impact. Although availability is not affected, the ability to execute arbitrary scripts can facilitate further attacks, including phishing or malware distribution. Organizations relying on the Smart PopUp Blaster plugin should consider the risk of targeted attacks, especially in sectors such as media, education, and e-commerce where WordPress is prevalent and multiple contributors are common. Failure to address this vulnerability could lead to exploitation that undermines site integrity and user security.

To mitigate CVE-2024-12458, organizations should first verify if they are using the Smart PopUp Blaster plugin version 1.4.3 or earlier and plan for immediate updates once a patch is released by the vendor. Until an official patch is available, administrators should restrict contributor-level access to trusted users only and consider temporarily disabling the plugin or the 'spb-button' shortcode functionality to prevent exploitation. Implementing a web application firewall (WAF) with custom rules to detect and block suspicious script injection attempts targeting the shortcode parameters can provide interim protection. Additionally, site owners should audit existing content for injected scripts and remove any malicious code. Enforcing strict input validation and output encoding on all user-supplied data within the plugin’s codebase is essential for a long-term fix. Monitoring logs for unusual contributor activity and educating contributors about safe content practices can reduce the likelihood of exploitation. Finally, maintaining regular backups and having an incident response plan ready will help organizations recover quickly if exploitation occurs.