CVE-2024-12459 is a stored cross-site scripting vulnerability in the Ganohrs Toggle Shortcode plugin for WordPress, affecting all versions up to 0.2.4. The issue arises from improper neutralization of input during web page generation, specifically insufficient input sanitization and output escaping of user-supplied attributes in the 'toggle' shortcode. This allows authenticated attackers with contributor-level privileges or higher to inject arbitrary JavaScript code that executes in the context of users viewing the injected pages. The vulnerability is classified under CWE-79 and has a CVSS v3.1 base score of 6.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N), reflecting network attack vector, low attack complexity, required privileges, no user interaction, scope change, and limited confidentiality and integrity impact without availability impact.

An attacker with contributor-level or higher access to a WordPress site using the vulnerable Ganohrs Toggle Shortcode plugin can inject persistent malicious scripts. These scripts execute in the browsers of users who visit the compromised pages, potentially leading to session hijacking, defacement, or other client-side attacks. The vulnerability impacts confidentiality and integrity but does not affect availability. There are no known exploits in the wild at this time.

No official patch or fix is currently available for this vulnerability. Site administrators should consider restricting contributor-level access until a fix is released or remove/disable the Ganohrs Toggle Shortcode plugin if it is not essential. Monitor the vendor's advisory channels for updates regarding patches or official remediation guidance. Avoid using the vulnerable shortcode with untrusted input.