CVE-2024-12464 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Chatroll Live Chat plugin for WordPress, affecting all versions up to and including 2.5.0. The root cause is insufficient sanitization and escaping of user-supplied input within the plugin's 'chatroll' shortcode, which allows authenticated users with contributor-level privileges or higher to inject arbitrary JavaScript code into pages. This malicious code is stored persistently and executed whenever any user accesses the compromised page, leading to potential theft of session cookies, defacement, or redirection to malicious sites. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and requiring privileges but no user interaction. The scope is changed, meaning the vulnerability affects components beyond the initially vulnerable plugin, impacting confidentiality and integrity but not availability. No patches or known exploits have been reported at the time of publication. The vulnerability is particularly concerning in multi-user WordPress environments where contributors can add content but are not fully trusted, as it elevates the risk of cross-site scripting attacks that can compromise site visitors and administrators alike.

The primary impact of CVE-2024-12464 is the compromise of confidentiality and integrity within affected WordPress sites using the Chatroll Live Chat plugin. Attackers with contributor-level access can inject persistent malicious scripts, enabling session hijacking, credential theft, or unauthorized actions performed on behalf of other users. This can lead to unauthorized data access, defacement, or distribution of malware to site visitors. Since the vulnerability does not affect availability directly, denial-of-service is less likely. However, the reputational damage and potential regulatory consequences from data breaches can be significant. Organizations relying on this plugin for customer interaction or support may face operational disruptions and loss of user trust. The risk is amplified in environments with many contributors or where contributor accounts are less strictly controlled. Additionally, the vulnerability could be chained with other exploits to escalate privileges or conduct broader attacks within the WordPress ecosystem.

To mitigate CVE-2024-12464, organizations should immediately update the Chatroll Live Chat plugin to a version that addresses this vulnerability once available. In the absence of an official patch, administrators should restrict contributor-level permissions to trusted users only and consider temporarily disabling the plugin or the 'chatroll' shortcode functionality. Implementing a Web Application Firewall (WAF) with rules to detect and block typical XSS payloads targeting the shortcode parameters can reduce risk. Regularly audit user-generated content for suspicious scripts and sanitize inputs at the application level if possible. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. Monitoring logs for unusual activity related to shortcode usage and user behavior can help detect exploitation attempts early. Finally, educating contributors about secure content practices and enforcing strong authentication controls will further reduce the attack surface.