CVE-2024-12513 is a stored cross-site scripting (XSS) vulnerability identified in the Contests by Rewards Fuel plugin for WordPress, specifically affecting all versions up to and including 2.0.65. The root cause lies in insufficient sanitization and escaping of user-supplied input within the plugin's 'RF_CONTEST' shortcode attributes. This flaw allows authenticated attackers with contributor-level permissions or higher to inject arbitrary JavaScript code into contest pages. When other users access these pages, the injected scripts execute in their browsers, potentially enabling session hijacking, unauthorized actions on behalf of users, or theft of sensitive information. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and privileges required but no user interaction needed. The scope is changed (S:C), meaning the vulnerability can affect resources beyond the attacker’s privileges, impacting confidentiality and integrity but not availability. No public exploits have been reported yet, but the vulnerability poses a credible threat to WordPress sites using this plugin, especially those allowing contributor-level user registrations. The plugin is widely used for running contests and promotions, making affected sites attractive targets for attackers aiming to compromise user trust or steal credentials. The vulnerability demands immediate attention to prevent exploitation.

The impact of CVE-2024-12513 is significant for organizations running WordPress sites with the Contests by Rewards Fuel plugin. Successful exploitation allows attackers with contributor-level access to inject persistent malicious scripts, which execute in the browsers of any visitors to the compromised pages. This can lead to session hijacking, theft of authentication tokens, unauthorized actions performed with victim user privileges, and potential spread of malware. The confidentiality and integrity of user data and site content are at risk, undermining user trust and potentially causing reputational damage. While availability is not directly affected, the indirect consequences such as blacklisting by search engines or browsers due to malicious content can disrupt site operations. The requirement for authenticated access limits the attack surface but does not eliminate risk, especially for sites with open or weak user registration policies. Organizations involved in e-commerce, marketing, or customer engagement through contests are particularly vulnerable, as attackers may leverage this to target customers or manipulate contest outcomes. The vulnerability’s medium severity score reflects these risks, but the potential for chained attacks or privilege escalation could elevate its impact if combined with other vulnerabilities.

To mitigate CVE-2024-12513, organizations should first apply any available patches or updates from the plugin vendor once released. In the absence of an official patch, administrators should restrict contributor-level and higher user roles from accessing or using the 'RF_CONTEST' shortcode functionality. Implement strict input validation and output encoding on all user-supplied data related to contest shortcodes to prevent script injection. Employ Web Application Firewalls (WAFs) with rules targeting XSS payloads specific to this plugin’s parameters. Conduct regular audits of user-generated content for suspicious scripts or anomalies. Limit user registrations and enforce strong authentication policies to reduce the risk of malicious insiders or compromised accounts. Monitor site logs for unusual activity related to contest pages. Educate site administrators and content creators about the risks of XSS and safe content practices. Finally, consider isolating contest functionality on separate subdomains or environments to contain potential exploitation impact.