CVE-2024-12491 is a stored cross-site scripting vulnerability classified under CWE-79 found in the SimplyRETS Real Estate IDX WordPress plugin, which is widely used to integrate real estate listings into WordPress sites. The vulnerability exists in the 'sr_search_form' shortcode, where user-supplied attributes are not properly sanitized or escaped before being rendered in web pages. This flaw allows authenticated users with contributor-level access or higher to inject arbitrary JavaScript code that is stored persistently in the website's content. When other users, including administrators or site visitors, access the infected pages, the malicious scripts execute in their browsers. This can lead to theft of session cookies, unauthorized actions on behalf of users, or further compromise of the website. The CVSS 3.1 score of 6.4 reflects a medium severity, with an attack vector over the network, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No public exploits have been reported yet, but the vulnerability poses a significant risk given the common use of WordPress and the plugin in real estate websites. The lack of official patches at the time of disclosure increases the urgency for mitigation.

The impact of CVE-2024-12491 is primarily on the confidentiality and integrity of affected WordPress sites using the SimplyRETS plugin. Attackers with contributor-level access can inject malicious scripts that execute in the context of other users, including administrators, potentially leading to session hijacking, privilege escalation, or unauthorized content manipulation. This can result in data theft, defacement, or further compromise of the website and its users. For organizations relying on these real estate IDX sites, such an attack could damage reputation, lead to loss of customer trust, and expose sensitive client information. Since the vulnerability requires authenticated access, the risk is somewhat mitigated by internal access controls, but insider threats or compromised contributor accounts increase the risk. The scope of affected systems is broad given the popularity of WordPress and the plugin in real estate sectors globally.

To mitigate CVE-2024-12491, organizations should immediately restrict contributor-level access to trusted users only and review existing contributor accounts for suspicious activity. Until an official patch is released, administrators can implement input validation and output escaping at the application or web server level, such as using Web Application Firewalls (WAFs) with custom rules to detect and block malicious script injections targeting the 'sr_search_form' shortcode. Monitoring logs for unusual shortcode usage or script injection attempts is critical. Additionally, applying the principle of least privilege to WordPress roles reduces the attack surface. Site owners should stay alert for updates from the plugin vendor and apply patches promptly once available. Regular security audits and user training on secure content management practices will further reduce risk.