The GeoDataSource Country Region DropDown plugin for WordPress suffers from a stored cross-site scripting vulnerability identified as CVE-2024-12474. This vulnerability is caused by improper neutralization of input during web page generation (CWE-79), specifically due to insufficient sanitization and escaping of user-supplied attributes in the plugin's 'gds-country-dropdown' shortcode. Authenticated users with contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into pages or posts using the shortcode. Because the injected scripts are stored persistently, they execute automatically whenever any user accesses the compromised page, potentially leading to session hijacking, defacement, or further exploitation within the WordPress environment. The vulnerability affects all versions up to and including 1.0.1 of the plugin. The CVSS 3.1 base score is 6.4, indicating a medium severity level, with an attack vector of network, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No official patches have been published at the time of disclosure, and no known exploits have been observed in the wild. The vulnerability highlights the importance of rigorous input validation and output encoding in WordPress plugins, especially those that accept user input for shortcode attributes.

The primary impact of CVE-2024-12474 is the potential compromise of confidentiality and integrity within WordPress sites using the vulnerable GeoDataSource plugin. An attacker with contributor-level access can inject malicious JavaScript that executes in the context of any user visiting the affected page, including administrators. This can lead to session hijacking, unauthorized actions performed on behalf of users, theft of sensitive information such as cookies or credentials, and possible defacement or redirection to malicious sites. While availability is not directly affected, the resulting compromise can lead to broader security incidents, including privilege escalation and persistent backdoors. Organizations relying on this plugin, particularly those with multiple contributors or public-facing content management, face increased risk of targeted attacks and reputational damage. The medium severity score reflects the need for timely remediation to prevent exploitation, especially in environments with multiple authenticated users.

To mitigate CVE-2024-12474, organizations should first check for and apply any official patches or updates from the GeoDataSource plugin vendor once available. In the absence of patches, administrators should consider temporarily disabling the plugin or removing the 'gds-country-dropdown' shortcode usage from all content. Restrict contributor-level access and above to trusted users only, minimizing the risk of malicious script injection. Implement Web Application Firewall (WAF) rules to detect and block suspicious script injection attempts targeting the shortcode attributes. Conduct a thorough audit of existing content for injected scripts and remove any malicious code. Additionally, enforce Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Educate content contributors about the risks of injecting untrusted input and monitor logs for unusual activity related to the plugin. Finally, consider alternative plugins with better security track records if timely patching is not feasible.