CVE-2024-12520 is a stored cross-site scripting vulnerability classified under CWE-79 found in the Dominion – Domain Checker for WPBakery plugin for WordPress. This vulnerability affects all versions up to and including 2.2.2. The root cause is insufficient sanitization and escaping of user-supplied input in the 'dominion_shortcodes_domain_search_6' shortcode. Authenticated attackers with contributor-level access or higher can inject arbitrary JavaScript code into pages generated by the plugin. When other users visit these compromised pages, the malicious scripts execute in their browsers, potentially allowing attackers to steal session cookies, perform actions on behalf of users, or deface the website. The vulnerability is exploitable remotely over the network without user interaction, with low attack complexity, but requires authentication with contributor or higher privileges. The CVSS 3.1 score of 6.4 reflects a medium severity impact, with confidentiality and integrity impacts rated as low but no impact on availability. No patches or official fixes have been published yet, and no known exploits are reported in the wild. This vulnerability highlights the importance of proper input validation and output encoding in WordPress plugins, especially those that accept user input in shortcodes. Organizations using this plugin should monitor for updates, restrict contributor access, and consider additional security controls to mitigate risk.

The primary impact of this vulnerability is the potential for stored cross-site scripting attacks, which can compromise the confidentiality and integrity of user sessions and data. Attackers can hijack user sessions, steal authentication tokens, or perform unauthorized actions with the privileges of the victim user. This can lead to account takeover, data leakage, or defacement of websites. Since the vulnerability requires contributor-level authentication, the risk is somewhat mitigated by the need for an attacker to have or obtain such access, but insider threats or compromised contributor accounts increase risk. The scope includes any WordPress site using the affected plugin versions, which may be widespread given the popularity of WPBakery and domain checking plugins. The vulnerability does not affect availability directly but can degrade user trust and site reputation. Organizations with high-value targets or sensitive user data are at greater risk of consequential damage from exploitation.

1. Immediately restrict contributor-level and higher access to trusted users only, and review existing user privileges to minimize risk exposure. 2. Monitor for and apply vendor patches or updates as soon as they become available; if no patch exists, consider disabling the vulnerable shortcode or the entire plugin temporarily. 3. Implement Web Application Firewall (WAF) rules to detect and block malicious script injections targeting the vulnerable shortcode parameters. 4. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 5. Conduct regular security audits and code reviews of plugins, especially those accepting user input in shortcodes or forms. 6. Educate site administrators and contributors about the risks of XSS and safe content input practices. 7. Consider using security plugins that sanitize shortcode inputs or provide additional input validation layers. 8. Monitor site logs for unusual activity indicative of exploitation attempts.