CVE-2024-12508 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Glofox Shortcodes plugin for WordPress, specifically in all versions up to and including 2.6. The vulnerability stems from insufficient sanitization and escaping of user-supplied attributes in the plugin's 'glofox' and 'glofox_lead_capture' shortcodes. This improper neutralization of input (CWE-79) allows authenticated users with contributor-level access or higher to inject arbitrary JavaScript code into pages generated by these shortcodes. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, unauthorized actions, or data theft. The vulnerability does not require user interaction beyond viewing the affected page and does not require elevated privileges beyond contributor access. The CVSS 3.1 score of 6.4 reflects a medium severity, with network attack vector, low attack complexity, and privileges required. The scope is changed (S:C), indicating that the vulnerability affects components beyond the initially vulnerable component, impacting confidentiality and integrity but not availability. No known exploits have been reported in the wild, and no official patches have been linked yet. The vulnerability was publicly disclosed in January 2025, with the Wordfence team as the assigner.

This vulnerability can significantly impact organizations using the Glofox Shortcodes plugin by enabling attackers with contributor-level access to inject persistent malicious scripts. The injected scripts can compromise user sessions, steal sensitive information, or perform unauthorized actions on behalf of users, undermining confidentiality and integrity of data. While availability is not directly affected, the reputational damage and potential data breaches can lead to operational disruptions and loss of customer trust. Since WordPress powers a large portion of websites globally, and Glofox is a niche plugin used in fitness and gym management sectors, organizations in these industries are particularly vulnerable. Attackers exploiting this flaw could target administrative users or customers, potentially leading to broader compromise of the website or connected systems. The medium severity rating reflects the need for prompt remediation to prevent exploitation, especially in environments with multiple contributors or less stringent access controls.

To mitigate this vulnerability, organizations should immediately restrict contributor-level privileges to trusted users only, minimizing the risk of malicious shortcode attribute injection. Implement strict input validation and output encoding for all user-supplied data within the plugin's shortcode attributes, either by applying available patches once released or by manually sanitizing inputs in the plugin code. Monitor website logs and user activity for unusual behavior or unexpected script injections. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. Regularly update WordPress plugins and core to the latest versions and subscribe to vendor security advisories for timely patching. Consider temporarily disabling the affected shortcodes if feasible until a patch is available. Additionally, conduct security awareness training for contributors to recognize the risks of injecting untrusted content.