CVE-2024-12502 is a stored cross-site scripting vulnerability identified in the My IDX Home Search plugin for WordPress, specifically affecting all versions up to and including 2.0.1. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), where user-supplied attributes in the 'homeasap-idx-landing' shortcode are not adequately sanitized or escaped before being rendered. This flaw allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. Because the malicious script is stored and served to any visitor accessing the infected page, it can execute in the context of the victim’s browser, potentially compromising session tokens, redirecting users, or performing unauthorized actions on behalf of the user. The vulnerability is exploitable remotely over the network without user interaction but requires prior authentication with contributor or higher privileges. The CVSS v3.1 base score is 6.4, reflecting a medium severity with low attack complexity, no user interaction, and a scope change due to the impact on other users. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability primarily affects websites using the My IDX Home Search plugin, which is commonly employed in real estate listing sites built on WordPress. The attack vector leverages the plugin’s shortcode functionality, a common feature in WordPress plugins, making it a notable risk for sites with multiple content contributors.

The impact of CVE-2024-12502 is significant for organizations running WordPress sites with the My IDX Home Search plugin, especially those with multiple contributors or editors. Successful exploitation can lead to session hijacking, unauthorized actions performed on behalf of users, defacement, or distribution of malware through injected scripts. This can damage organizational reputation, lead to data breaches, and cause loss of user trust. Since the vulnerability requires contributor-level access, insider threats or compromised contributor accounts increase risk. The scope of the attack extends beyond the attacker’s account, affecting all visitors to the compromised page, which can include customers, partners, or employees. Although no known exploits are in the wild yet, the medium CVSS score and ease of exploitation suggest attackers may develop exploits quickly. Organizations in real estate, marketing, and content-heavy industries using this plugin are particularly vulnerable. The vulnerability could also be leveraged as a foothold for further attacks within the network or to pivot to more critical systems.

1. Immediately update the My IDX Home Search plugin to a patched version once available from the vendor. 2. Until a patch is released, restrict contributor-level and higher permissions to trusted users only and audit existing contributor accounts for suspicious activity. 3. Implement a Web Application Firewall (WAF) with rules to detect and block common XSS payloads targeting the 'homeasap-idx-landing' shortcode parameters. 4. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. 5. Regularly scan WordPress sites for injected scripts or unusual shortcode usage patterns. 6. Educate contributors about the risks of injecting untrusted content and enforce strict input validation policies. 7. Monitor logs for anomalous shortcode usage or unexpected page modifications. 8. Consider disabling or removing the plugin if it is not essential to reduce attack surface. 9. Use security plugins that provide real-time monitoring and alerting for XSS attempts. 10. Backup site data regularly to enable quick restoration if compromise occurs.