CVE-2024-12516 identifies a stored cross-site scripting vulnerability in the vickydalmia Coupon Plugin for WordPress, present in all versions up to and including 1.2.1. The vulnerability stems from insufficient sanitization and escaping of the 'Coupon Code' parameter, allowing authenticated users with Contributor-level or higher privileges to inject arbitrary JavaScript code into the plugin's pages. When other users access these pages, the malicious scripts execute in their browsers, potentially enabling session hijacking, privilege escalation, or unauthorized actions within the context of the victim's session. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS 3.1 base score is 6.4, indicating a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No public exploits have been reported to date, but the vulnerability poses a risk to any WordPress site using this plugin, especially those allowing contributors to add or edit coupons. The persistent nature of stored XSS increases the risk of widespread impact once exploited. The vulnerability was published on January 7, 2025, and no official patches have been linked yet, emphasizing the need for immediate mitigation steps.

The primary impact of CVE-2024-12516 is the potential compromise of user confidentiality and integrity on affected WordPress sites. Exploitation allows attackers to execute arbitrary scripts in the browsers of site visitors or administrators, which can lead to session hijacking, theft of sensitive information, unauthorized actions, or defacement of site content. Although availability is not directly impacted, the reputational damage and user trust erosion can be significant. Organizations relying on the vickydalmia Coupon Plugin risk exposure to targeted attacks, especially if contributor roles are widely assigned or if the site has high traffic. The vulnerability could be leveraged to pivot to further attacks within the network or to distribute malware. Since the attack requires authenticated access at Contributor level or above, the risk is mitigated somewhat by access controls, but insider threats or compromised accounts increase the likelihood of exploitation. The scope of affected systems is broad given WordPress's global popularity and the plugin's usage, making this a relevant threat for e-commerce and marketing sites using this plugin.

1. Immediately review and restrict Contributor-level access to trusted users only, minimizing the number of users who can inject coupon codes. 2. Implement strict input validation and output encoding for the 'Coupon Code' parameter at the application level if patching is not yet available. 3. Deploy a Web Application Firewall (WAF) with rules to detect and block common XSS payloads targeting WordPress plugins. 4. Monitor logs and user activities for suspicious coupon code entries or unusual contributor behavior. 5. Educate site administrators and contributors about the risks of XSS and safe content practices. 6. Regularly update the plugin once a patch is released by the vendor or consider replacing the plugin with a more secure alternative. 7. Use Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on the site. 8. Conduct periodic security assessments and penetration testing focusing on user input vectors in WordPress plugins. These steps go beyond generic advice by focusing on access control, proactive detection, and layered defenses tailored to the plugin's vulnerability.