CVE-2024-12515 is a stored cross-site scripting vulnerability identified in the Muslim Prayer Time-Salah/Iqamah plugin for WordPress, which is widely used to display prayer times for Muslim communities. The vulnerability stems from improper neutralization of input during web page generation (CWE-79), specifically in the handling of the Masjid ID parameter. All plugin versions up to and including 1.8.8 fail to adequately sanitize and escape this input, allowing authenticated users with Contributor-level access or higher to inject arbitrary JavaScript code. This malicious code is stored persistently and executed in the context of any user who visits the affected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions within the victim’s browser. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, privileges required at the Contributor level, no user interaction needed, and a scope change due to the impact on other users. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple contributors. The lack of available patches at the time of disclosure increases the urgency for administrators to implement interim mitigations. The vulnerability highlights the importance of rigorous input validation and output encoding in WordPress plugin development to prevent cross-site scripting attacks.

The impact of CVE-2024-12515 is primarily on the confidentiality and integrity of affected WordPress sites and their users. Successful exploitation allows an authenticated contributor to inject persistent malicious scripts that execute in the browsers of any visitors to the compromised pages. This can lead to session hijacking, theft of sensitive user information, unauthorized actions performed on behalf of users, and potential defacement or redirection attacks. While availability is not directly affected, the reputational damage and loss of user trust can be significant. Organizations relying on this plugin, particularly religious institutions, community websites, and organizations serving Muslim populations, face risks of data breaches and user compromise. The requirement for contributor-level privileges limits the attack surface but does not eliminate risk, especially in environments with multiple content editors or less stringent access controls. The vulnerability could also be leveraged as a foothold for further attacks within the WordPress environment or the broader network if combined with other vulnerabilities.

To mitigate CVE-2024-12515, organizations should immediately review and restrict Contributor-level access to trusted users only, minimizing the number of accounts that can inject content. Administrators should monitor and audit content submissions for suspicious scripts or unexpected changes. Implementing a Web Application Firewall (WAF) with rules to detect and block common XSS payloads targeting the Masjid ID parameter can provide temporary protection. Site owners should apply any forthcoming patches from the plugin vendor as soon as they are released. In the absence of patches, consider disabling or replacing the plugin with alternatives that follow secure coding practices. Additionally, enforcing Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Regular backups and incident response plans should be maintained to quickly restore sites if exploitation occurs. Finally, educating contributors about secure content practices and the risks of XSS can reduce accidental introduction of malicious code.