CVE-2024-12519 identifies a stored cross-site scripting (XSS) vulnerability in the TCBD Auto Refresher plugin for WordPress, versions up to and including 2.0. The vulnerability stems from improper neutralization of input (CWE-79) during web page generation, specifically in the handling of the 'tcbd_auto_refresh' shortcode's user-supplied attributes. The plugin fails to adequately sanitize and escape these inputs, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. When other users access these compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, defacement, or further attacks within the context of the victim's privileges. The vulnerability is remotely exploitable over the network without requiring user interaction, but does require authenticated access with contributor or higher privileges. The CVSS v3.1 base score is 6.4 (medium severity), reflecting low attack complexity, no user interaction, partial confidentiality and integrity impacts, and a scope change due to the cross-user impact. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability highlights the risks of insufficient input validation in WordPress plugins, especially those that allow shortcode attributes to be user-controlled. Organizations using this plugin should assess their exposure and implement mitigations promptly.

The primary impact of this vulnerability is the potential for stored XSS attacks, which can compromise the confidentiality and integrity of user data. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of any user viewing the infected page, potentially leading to session hijacking, theft of authentication tokens, unauthorized actions on behalf of users, or defacement of website content. Although availability is not directly affected, the reputational damage and loss of user trust can be significant. For organizations relying on WordPress sites with this plugin, especially those with multiple contributors or editors, the risk of internal threat actors or compromised contributor accounts exploiting this vulnerability is notable. The scope of impact extends beyond the initial attacker, affecting all users who access the injected content. This can facilitate lateral movement within the site and escalate privileges indirectly. Given the medium CVSS score and the requirement for authenticated access, the threat is moderate but should not be underestimated, particularly for high-traffic or sensitive websites.

1. Immediate mitigation involves restricting contributor-level access to trusted users only, minimizing the risk of malicious shortcode attribute injection. 2. Disable or remove the TCBD Auto Refresher plugin if it is not essential to website functionality. 3. Monitor and audit existing pages and posts for suspicious or unexpected shortcode usage that may indicate exploitation. 4. Implement a Web Application Firewall (WAF) with custom rules to detect and block attempts to inject malicious scripts via shortcode attributes. 5. Encourage the plugin vendor or community to release a patch that properly sanitizes and escapes all user-supplied inputs in the shortcode. 6. Educate content contributors on safe content practices and the risks of injecting untrusted code. 7. Regularly update WordPress core and all plugins to their latest versions to reduce exposure to known vulnerabilities. 8. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on the website. 9. Conduct periodic security scans focusing on XSS vulnerabilities and shortcode misuse. These steps combined will reduce the likelihood and impact of exploitation until an official patch is available.