CVE-2024-12460 is a stored cross-site scripting vulnerability classified under CWE-79, affecting the 'Years Since – Timeless Texts' WordPress plugin developed by laurencebahiirwa. The flaw exists in all versions up to and including 1.4.1 due to insufficient sanitization and escaping of user input in the 'years-since' shortcode attributes. This allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress environment. The vulnerability is remotely exploitable over the network without user interaction and requires only low privileges (contributor access). The CVSS v3.1 score is 6.4, reflecting medium severity with low attack complexity and no user interaction needed. The vulnerability affects the confidentiality and integrity of the affected websites but does not impact availability. No public exploit code or active exploitation has been reported yet. The lack of patches or official fixes at the time of publication increases the urgency for site administrators to implement mitigations or restrict contributor access until updates are available.

This vulnerability can lead to unauthorized script execution within the context of affected WordPress sites, compromising user sessions and potentially allowing attackers to perform actions on behalf of other users, including administrators. This undermines the confidentiality and integrity of site data and user information. For organizations, exploitation could result in defacement, data theft, or further compromise of the WordPress environment. Since contributor-level access is required, the threat is primarily from insider threats or compromised contributor accounts. However, given WordPress's widespread use globally, especially in small to medium enterprises and content-driven websites, the impact can be significant if exploited at scale. The vulnerability does not affect availability directly but can lead to reputational damage and loss of user trust. The absence of known exploits reduces immediate risk but does not eliminate the potential for future attacks.

Site administrators should immediately review and restrict contributor-level access to trusted users only, minimizing the risk of malicious input injection. Until an official patch is released, consider disabling or removing the 'Years Since – Timeless Texts' plugin if it is not essential. Implement Web Application Firewall (WAF) rules to detect and block suspicious shortcode attribute inputs that contain script tags or suspicious payloads. Regularly audit user-generated content for injected scripts and sanitize inputs manually if feasible. Monitor WordPress security advisories for updates or patches from the plugin developer and apply them promptly once available. Additionally, enforce the principle of least privilege for all WordPress roles and consider deploying Content Security Policy (CSP) headers to limit the impact of any injected scripts. Backup site data regularly to enable recovery in case of compromise.