The Slotti Ajanvaraus plugin for WordPress, widely used for appointment scheduling, contains a stored cross-site scripting vulnerability identified as CVE-2024-12521. This vulnerability exists in all versions up to and including 1.3.1 due to insufficient sanitization and escaping of user input in the 'slotti-embed-ga' shortcode attributes. Specifically, authenticated users with contributor-level permissions or above can inject arbitrary JavaScript code into pages via this shortcode. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions on behalf of the victim. The vulnerability requires authentication but no additional user interaction, increasing its risk within environments where multiple users have contributor or higher roles. The CVSS 3.1 base score of 6.4 reflects a medium severity with network attack vector, low attack complexity, privileges required, no user interaction, and a scope change. The impact affects confidentiality and integrity but not availability. No patches or known exploits have been reported at the time of publication, but the vulnerability's presence in a popular WordPress plugin makes it a significant concern for website administrators. The vulnerability stems from CWE-79, highlighting improper neutralization of input during web page generation, a common vector for XSS attacks. Mitigation requires either updating the plugin once a patch is available or applying strict input validation and output encoding on the shortcode attributes to prevent script injection.

This vulnerability allows authenticated users with contributor-level access to inject malicious scripts that execute in the context of other users visiting the affected pages. The potential impacts include theft of session cookies, enabling account takeover, defacement of website content, unauthorized actions performed on behalf of users, and potential spread of malware or phishing attacks. Since the vulnerability affects the confidentiality and integrity of user data and sessions, it can undermine user trust and lead to reputational damage. Organizations relying on the Slotti Ajanvaraus plugin for appointment scheduling may face disruptions in service trustworthiness and increased risk of targeted attacks against their user base. Although availability is not directly impacted, the indirect consequences of compromised user accounts or data leakage can be severe. The requirement for contributor-level access limits exploitation to insiders or compromised accounts, but in multi-user environments, this is a realistic threat. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the potential for future attacks once exploit code becomes available.

Administrators should monitor for updates from the plugin vendor and apply patches promptly once released. Until a patch is available, restrict contributor-level access to trusted users only and audit existing user permissions to minimize risk. Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the 'slotti-embed-ga' shortcode attributes. Employ Content Security Policy (CSP) headers to limit the impact of injected scripts by restricting script sources. Conduct regular security reviews of user-generated content and shortcode usage to identify and remove suspicious entries. Consider disabling or removing the vulnerable shortcode if it is not essential to the website's functionality. Educate users with elevated privileges about the risks of injecting untrusted content and enforce strong authentication and monitoring to detect anomalous behavior. Additionally, implement output encoding best practices in custom code interacting with the plugin to reduce XSS risks.