CVE-2024-12493 is a stored cross-site scripting vulnerability identified in the Files Download Delay plugin for WordPress, developed by blueberryacc. This vulnerability exists in all versions up to and including 1.0.9 due to improper neutralization of user-supplied input in the 'fddwrap' shortcode. Specifically, the plugin fails to adequately sanitize and escape attributes provided by authenticated users with contributor-level access or higher, allowing them to inject arbitrary JavaScript code into pages. When other users visit these pages, the malicious scripts execute in their browsers, potentially compromising session cookies, redirecting users, or performing unauthorized actions on their behalf. The vulnerability is classified under CWE-79, indicating improper input validation during web page generation. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and requiring privileges but no user interaction. The vulnerability scope is changed (S:C), meaning the impact can extend beyond the vulnerable component. No patches or public exploits are currently available, but the risk remains significant due to the widespread use of WordPress and the plugin's user role requirements. The flaw highlights the importance of strict input validation and output encoding in WordPress plugins, especially those that process user-generated content or shortcodes.

The impact of CVE-2024-12493 is primarily on the confidentiality and integrity of affected WordPress sites. An attacker with contributor-level access can inject persistent malicious scripts that execute in the browsers of site visitors or administrators. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed with the victim's privileges, and potential site defacement or redirection to malicious sites. Although availability is not directly affected, the trustworthiness and security of the website are compromised. Organizations relying on the Files Download Delay plugin may face reputational damage, data breaches, and compliance issues if exploited. Since contributor-level access is often granted to multiple users, the attack surface is relatively broad. The vulnerability can also facilitate further attacks such as privilege escalation or lateral movement within the WordPress environment. Given WordPress's global popularity, the potential impact spans small businesses to large enterprises using this plugin.

To mitigate CVE-2024-12493, organizations should immediately audit their WordPress installations for the presence of the Files Download Delay plugin and verify the version in use. Since no official patch is currently available, consider the following steps: 1) Restrict contributor-level permissions to trusted users only or temporarily disable contributor roles if feasible. 2) Remove or disable the 'fddwrap' shortcode usage in existing content to prevent script execution. 3) Implement web application firewall (WAF) rules to detect and block suspicious shortcode attribute patterns or script injections. 4) Monitor logs and user activities for unusual behavior related to shortcode usage or privilege abuse. 5) Educate content contributors about safe input practices and the risks of injecting scripts. 6) Regularly check for plugin updates or security advisories from blueberryacc and apply patches promptly once released. 7) Consider alternative plugins with better security track records if immediate patching is not possible. 8) Employ Content Security Policy (CSP) headers to limit the impact of injected scripts. These targeted actions go beyond generic advice and address the specific vectors of this vulnerability.