CVE-2024-12504 is a stored cross-site scripting (XSS) vulnerability identified in the Broadcast Live Video – Live Streaming plugin for WordPress, which supports HTML5, WebRTC, HLS, RTSP, and RTMP streaming protocols. The flaw exists in all versions up to and including 6.1.9, specifically within the 'videowhisper_hls' shortcode implementation. The root cause is insufficient sanitization and escaping of user-supplied attributes, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. Because the malicious script is stored, it executes every time a user accesses the compromised page, potentially affecting all visitors. The vulnerability leverages CWE-79 (Improper Neutralization of Input During Web Page Generation) and can lead to session hijacking, unauthorized actions on behalf of users, or redirection to malicious sites. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, privileges required (low), no user interaction needed, and partial impact on confidentiality and integrity. No public exploit code or widespread exploitation has been reported yet. The vulnerability is critical for websites relying on this plugin for live video streaming, especially those with multiple contributors or user-generated content. Mitigation requires patching the plugin once an update is available or applying strict input validation and output encoding as a temporary measure.

The vulnerability enables authenticated attackers with contributor-level access to inject persistent malicious scripts into web pages, which execute in the context of any user viewing those pages. This can lead to theft of session cookies, user impersonation, unauthorized actions, defacement, or distribution of malware. For organizations, this compromises the confidentiality and integrity of user data and can damage reputation. Since the plugin is used for live video streaming, attackers could also disrupt service trust or manipulate streaming content. The attack does not impact availability directly but can lead to broader security incidents. The requirement for authenticated access limits exposure but does not eliminate risk, especially in environments with multiple contributors or less stringent access controls. The vulnerability affects all versions up to 6.1.9, so any unpatched installations remain at risk.

1. Immediately update the Broadcast Live Video – Live Streaming plugin to a patched version once released by the vendor. 2. Until a patch is available, restrict contributor and higher roles from using the 'videowhisper_hls' shortcode or disable the plugin if feasible. 3. Implement strict input validation and output encoding on all user-supplied attributes related to the shortcode to prevent script injection. 4. Review and tighten user role permissions to minimize the number of users with contributor-level or higher access. 5. Employ Web Application Firewalls (WAFs) with rules targeting common XSS payloads to detect and block exploit attempts. 6. Monitor logs for unusual activity or injection attempts related to the shortcode. 7. Educate content contributors about safe content practices and the risks of injecting untrusted code. 8. Conduct regular security audits and vulnerability scans focusing on WordPress plugins and user-generated content.