The WP-Revive Adserver plugin for WordPress suffers from a stored cross-site scripting (XSS) vulnerability identified as CVE-2024-12461. This vulnerability exists due to improper neutralization of input during web page generation, specifically within the 'wprevive_async' shortcode. The plugin fails to adequately sanitize and escape user-supplied attributes, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code. When a page containing the injected shortcode is accessed by any user, the malicious script executes in their browser context. This can lead to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim user. The vulnerability affects all versions up to and including 2.2.1 of the plugin. The CVSS 3.1 base score of 6.4 reflects a medium severity, with the attack vector being network-based, low attack complexity, requiring privileges (authenticated contributor or above), no user interaction, and a scope change due to potential impact on other users. No public exploits have been reported yet, but the vulnerability poses a significant risk in environments where multiple users have editing privileges. The lack of output escaping and input sanitization in the shortcode processing is the root cause, highlighting the need for secure coding practices in plugin development.

This vulnerability allows authenticated contributors or higher to inject persistent malicious scripts into WordPress pages, which execute in the browsers of any users viewing those pages. The impact includes potential theft of session cookies, user credentials, or other sensitive information, enabling attackers to impersonate users or escalate privileges. It can also facilitate unauthorized actions such as content manipulation or redirection to malicious sites. While availability is not directly affected, the integrity and confidentiality of user data and site content are at risk. For organizations relying on WP-Revive Adserver, especially those with multiple content contributors, this vulnerability could lead to widespread compromise of user accounts and damage to reputation. The medium CVSS score reflects that exploitation requires authenticated access, limiting the attack surface but still posing a significant threat in multi-user environments. The scope change indicates that the vulnerability affects not only the compromised user but potentially all users accessing the infected content.

Organizations should immediately update the WP-Revive Adserver plugin to a patched version once available. In the absence of an official patch, administrators should restrict contributor-level and higher permissions to trusted users only. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injections targeting the 'wprevive_async' shortcode can provide temporary protection. Conduct a thorough audit of existing content for injected scripts and remove any suspicious code. Educate content contributors about safe input practices and the risks of injecting untrusted content. Additionally, applying Content Security Policy (CSP) headers can help mitigate the impact of XSS by restricting the execution of unauthorized scripts. Monitoring logs for unusual activity related to shortcode usage or script execution is recommended to detect exploitation attempts early.