CVE-2024-12465 is a stored cross-site scripting vulnerability identified in the Property Hive Stamp Duty Calculator plugin for WordPress, specifically in the 'stamp_duty_calculator_scotland' shortcode. The flaw arises from improper neutralization of user-supplied input due to insufficient sanitization and output escaping, allowing authenticated users with contributor-level access or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the malicious scripts execute in their browsers, potentially enabling session hijacking, privilege escalation, or unauthorized actions within the WordPress environment. The vulnerability affects all plugin versions up to and including 1.0.22. The CVSS 3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, requiring privileges (contributor or above), no user interaction, and partial impact on confidentiality and integrity but no impact on availability. No public exploits have been reported yet. The vulnerability's scope is confined to sites using this plugin, but the stored nature of the XSS increases risk since injected scripts persist and affect multiple users. The vulnerability was published on December 13, 2024, and assigned by Wordfence. No official patches are currently linked, so mitigation relies on access control and input validation.

The primary impact of CVE-2024-12465 is the compromise of user confidentiality and integrity on affected WordPress sites. Attackers with contributor-level access can inject persistent malicious scripts that execute in the context of site visitors, potentially stealing session cookies, redirecting users to phishing sites, or performing unauthorized actions on behalf of users with higher privileges. This can lead to account takeover, data leakage, defacement, or further compromise of the WordPress environment. Since the vulnerability requires authenticated access, the initial barrier reduces risk but does not eliminate it, especially on sites with multiple contributors or less stringent access controls. The stored nature of the XSS means that once exploited, the malicious payload affects all users visiting the infected pages, amplifying the impact. Organizations relying on this plugin for real estate or property-related services may face reputational damage, loss of customer trust, and regulatory scrutiny if user data is compromised. The absence of known exploits in the wild currently limits immediate widespread impact, but the medium severity score and ease of exploitation by authenticated users warrant prompt attention.

1. Immediately restrict contributor-level and higher access to trusted users only, minimizing the risk of malicious input injection. 2. Apply strict input validation and sanitization on all user-supplied attributes related to the 'stamp_duty_calculator_scotland' shortcode, ideally using WordPress core functions like sanitize_text_field() and esc_html() or esc_attr() for output escaping. 3. Monitor and audit content created or edited by contributors for suspicious scripts or unexpected HTML tags. 4. Implement Web Application Firewall (WAF) rules to detect and block common XSS payloads targeting this plugin's shortcode parameters. 5. Encourage the plugin vendor to release a security patch and apply it promptly once available. 6. Educate site administrators and contributors about the risks of injecting untrusted content and enforce the principle of least privilege. 7. Regularly backup site data and have an incident response plan to quickly remediate any detected compromise. 8. Consider disabling or replacing the vulnerable plugin if immediate patching is not feasible.