CVE-2024-12512 is a stored cross-site scripting vulnerability identified in the Ask Me Anything (Anonymously) WordPress plugin developed by arunbasillal. This vulnerability arises from improper neutralization of input during web page generation, specifically within the 'askmeanythingpeople' shortcode. The plugin fails to adequately sanitize and escape user-supplied attributes, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing actions on behalf of the victim. The vulnerability affects all versions up to and including 1.6. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, privileges required at the contributor level, no user interaction needed, and a scope change due to affecting other users. No patches or exploits are currently publicly available, but the vulnerability's presence in a popular content management system plugin makes it a significant risk. The flaw is categorized under CWE-79, highlighting improper input validation and output encoding as the root cause.

The impact of CVE-2024-12512 is primarily on the confidentiality and integrity of user sessions and data within affected WordPress sites. Successful exploitation can lead to session hijacking, allowing attackers to impersonate legitimate users, including administrators if targeted carefully. It can also enable defacement, phishing, or distribution of malware through injected scripts. Since the vulnerability requires contributor-level access, attackers must first compromise or register with sufficient privileges, which limits but does not eliminate risk. The scope of affected systems includes any WordPress site using the Ask Me Anything (Anonymously) plugin up to version 1.6, potentially spanning thousands of websites globally. The absence of known exploits reduces immediate risk, but the medium severity score and ease of exploitation once authenticated make it a notable threat. Organizations relying on this plugin for user interaction or anonymous Q&A features face reputational damage and user trust issues if exploited.

To mitigate CVE-2024-12512, organizations should immediately update the Ask Me Anything (Anonymously) plugin once a patched version is released by the vendor. Until then, administrators should restrict contributor-level access to trusted users only and monitor for suspicious activity or unexpected shortcode usage. Implementing a Web Application Firewall (WAF) with custom rules to detect and block suspicious script injections in shortcode parameters can provide interim protection. Additionally, site owners should audit all user-generated content for malicious scripts and sanitize inputs manually if possible. Disabling or removing the vulnerable shortcode temporarily can also reduce risk. Educating contributors about safe content submission and monitoring logs for unusual behavior are recommended. Finally, applying Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources.