CVE-2024-12467 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the Pago por Redsys plugin for WordPress, affecting all versions up to and including 1.0.12. The vulnerability stems from improper neutralization of input during web page generation, specifically inadequate sanitization and output escaping of the 'Ds_MerchantParameters' parameter. This parameter is used in the plugin's processing of payment-related data. Because the plugin fails to properly validate or encode this input, an attacker can craft a malicious URL containing JavaScript code within this parameter. When a victim clicks the malicious link, the injected script executes in the context of the victim's browser, potentially allowing the attacker to steal session cookies, perform actions on behalf of the user, or conduct phishing attacks. The vulnerability is exploitable remotely without authentication but requires user interaction (clicking a link). The CVSS 3.1 base score is 6.1, reflecting medium severity, with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:R), scope changed (S:C), and low impact on confidentiality and integrity (C:L/I:L) but no impact on availability (A:N). No public exploits are currently known, but the vulnerability poses a significant risk to websites using this plugin, especially those handling sensitive payment information. The reflected nature of the XSS limits automated exploitation but still presents a meaningful threat vector for targeted attacks or phishing campaigns.

The primary impact of CVE-2024-12467 is the compromise of user confidentiality and integrity through reflected XSS attacks. Attackers can steal session cookies, enabling account hijacking, or inject malicious scripts that perform unauthorized actions on behalf of the user. This can lead to phishing, data theft, or manipulation of payment processes. Since the vulnerability affects a payment plugin, successful exploitation could undermine trust in e-commerce transactions and potentially expose sensitive financial data indirectly. The requirement for user interaction reduces the likelihood of widespread automated exploitation but does not eliminate the risk of targeted attacks against customers or administrators. Organizations running WordPress sites with this plugin may face reputational damage, regulatory compliance issues, and financial losses if exploited. The vulnerability does not affect system availability directly but can facilitate further attacks that degrade security posture.

1. Immediate upgrade: Organizations should update the Pago por Redsys plugin to a version that addresses this vulnerability once released by the vendor. If no patch is available, consider temporarily disabling the plugin or replacing it with an alternative payment solution. 2. Input validation and output encoding: Developers should implement strict server-side validation and proper output escaping for the 'Ds_MerchantParameters' parameter to prevent script injection. 3. Web Application Firewall (WAF): Deploy a WAF with rules to detect and block malicious payloads targeting the vulnerable parameter. 4. User awareness: Educate users and administrators to avoid clicking suspicious links, especially those purporting to be related to payment processing. 5. Content Security Policy (CSP): Implement CSP headers to restrict the execution of unauthorized scripts in the browser. 6. Monitor logs: Regularly review web server and application logs for unusual requests containing suspicious parameters. 7. Harden WordPress security: Employ security plugins that provide XSS protection and keep WordPress core and all plugins up to date. 8. Incident response: Prepare to respond quickly to any signs of exploitation, including session hijacking or phishing attempts linked to this vulnerability.