CVE-2024-12522 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Yay! Forms WordPress plugin, which enables embedding custom forms, surveys, and quizzes. The vulnerability is due to improper neutralization of input during web page generation (CWE-79), specifically insufficient sanitization and escaping of user-supplied attributes within the 'yayforms' shortcode. This flaw allows authenticated attackers with contributor-level access or higher to inject arbitrary JavaScript code into pages. The injected scripts execute in the context of any user who views the affected page, potentially leading to session hijacking, privilege escalation, or data theft. The vulnerability affects all versions up to and including 1.2.1. The CVSS 3.1 base score is 6.4, indicating medium severity, with attack vector network, low attack complexity, privileges required at the contributor level, no user interaction needed, and a scope change. The impact primarily affects confidentiality and integrity, with no direct availability impact. No public exploits or patches are currently available, but the vulnerability is publicly disclosed and should be addressed promptly. The flaw highlights the importance of proper input validation and output encoding in WordPress plugins, especially those handling user-generated content.

The vulnerability allows authenticated contributors or higher to inject malicious scripts that execute in the browsers of users visiting the compromised pages. This can lead to theft of session cookies, enabling attackers to impersonate users with potentially higher privileges, unauthorized data access, or manipulation of site content. The integrity of the website content can be compromised, and confidential information exposed. While availability is not directly impacted, successful exploitation can facilitate further attacks that degrade service or lead to site defacement. Organizations relying on Yay! Forms for customer engagement or data collection risk reputational damage and loss of user trust if exploited. The medium CVSS score reflects moderate risk, but the ease of exploitation by authenticated users and the potential for privilege escalation make it a significant concern for WordPress sites with multiple contributors.

1. Immediately restrict contributor-level and higher privileges to trusted users only until a patch is available. 2. Monitor and audit user-generated content submitted via Yay! Forms for suspicious or unexpected scripts. 3. Implement Web Application Firewall (WAF) rules to detect and block common XSS payloads targeting the 'yayforms' shortcode. 4. Encourage users to update the plugin promptly once the vendor releases a patch addressing this vulnerability. 5. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. 6. Consider temporarily disabling or removing the Yay! Forms plugin if it is not critical to operations. 7. Educate contributors about the risks of injecting untrusted content and enforce strict input validation policies. 8. Use security plugins that scan for XSS vulnerabilities and malicious code injections in WordPress environments.