CVE-2024-12477 is a stored cross-site scripting (XSS) vulnerability identified in the Avada (Fusion) Builder plugin for WordPress, affecting all versions up to and including 3.11.11. The root cause is insufficient sanitization and escaping of user-supplied attributes within the plugin's shortcodes, which are used to generate dynamic page content. This vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions performed on behalf of the victim. The vulnerability does not require user interaction beyond visiting the compromised page and does not affect availability but impacts confidentiality and integrity. The CVSS v3.1 score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, privileges required, no user interaction, and a scope change due to affecting other users. No known exploits have been reported in the wild yet. The vulnerability highlights the risks of improper input validation in widely used WordPress plugins, especially those that allow content creation by multiple user roles. Since Avada is a popular theme and builder plugin with a large user base, the potential attack surface is significant. The vulnerability was publicly disclosed in January 2025, with no official patch links available at the time of reporting. The CWE classification is CWE-79, which corresponds to improper neutralization of input during web page generation, a common vector for XSS attacks.

The primary impact of CVE-2024-12477 is the compromise of confidentiality and integrity of user sessions and data within affected WordPress sites using the Avada Builder plugin. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of other users, potentially leading to session hijacking, theft of sensitive information such as cookies or credentials, and unauthorized actions performed with the victim's privileges. This can facilitate further compromise of the website, including privilege escalation or defacement. Although availability is not directly affected, the reputational damage and potential data breaches can have significant operational and financial consequences. Organizations relying on Avada Builder for content management, especially those with multiple contributors or editors, face increased risk. The scope of affected systems is broad due to the widespread use of WordPress and the popularity of the Avada theme and builder plugin. The ease of exploitation is moderate since authenticated contributor-level access is required, which is a common user role in many content-managed sites. The vulnerability could be leveraged in targeted attacks against organizations with valuable web assets or high-profile websites. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as proof-of-concept code may emerge post-disclosure.

1. Apply official patches or updates from ThemeFusion as soon as they become available to address the input sanitization and output escaping flaws in the Avada Builder plugin. 2. In the interim, restrict contributor-level and higher privileges to trusted users only, minimizing the risk of malicious script injection. 3. Implement additional server-side input validation and output encoding for all user-supplied shortcode attributes, potentially via custom plugin hardening or web application firewall (WAF) rules. 4. Monitor website content for unexpected or suspicious script tags or inline JavaScript, especially in pages created or edited by contributors. 5. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 6. Educate site administrators and content creators about the risks of XSS and the importance of cautious content management. 7. Regularly audit user roles and permissions to ensure least privilege principles are enforced. 8. Consider disabling shortcode usage from untrusted users or temporarily disabling the Avada Builder plugin if immediate patching is not possible and risk is high.