CVE-2024-12523 is a stored cross-site scripting (XSS) vulnerability identified in the States Map US plugin for WordPress, maintained by wssoffice21. The flaw exists in all versions up to and including 2.4.2 and is caused by improper neutralization of input during web page generation, specifically within the 'states_map' shortcode. The plugin fails to adequately sanitize and escape user-supplied attributes, allowing an authenticated attacker with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. Because the malicious script is stored persistently, it executes every time a user accesses the compromised page, potentially affecting site administrators, editors, and visitors. The vulnerability leverages CWE-79 (Improper Neutralization of Input During Web Page Generation), a common vector for XSS attacks. The CVSS 3.1 base score is 6.4, with an attack vector of network, low attack complexity, privileges required at the low level, no user interaction needed, and a scope change indicating that the vulnerability affects components beyond the initially vulnerable plugin. The impact includes limited confidentiality and integrity loss but no availability impact. No patches or exploits are currently publicly available, but the vulnerability is publicly disclosed as of December 14, 2024.

The primary impact of CVE-2024-12523 is the potential for attackers with contributor-level access to inject persistent malicious scripts into WordPress sites using the States Map US plugin. This can lead to session hijacking, theft of sensitive user data, unauthorized actions performed on behalf of users, defacement, or distribution of malware. Since the injected scripts execute in the context of the victim's browser, any user visiting the compromised page, including administrators and editors, could be affected. This elevates the risk of privilege escalation and broader site compromise. Organizations relying on this plugin risk reputational damage, data breaches, and potential regulatory consequences if user data is exposed. The vulnerability’s medium severity and requirement for authenticated access somewhat limit its exploitation scope, but many WordPress sites allow contributor-level users, especially in multi-author environments, increasing risk. The absence of known exploits in the wild reduces immediate threat but does not eliminate future exploitation possibilities.

To mitigate CVE-2024-12523, organizations should first check for plugin updates from wssoffice21 addressing this vulnerability and apply patches promptly once available. In the absence of an official patch, administrators should restrict contributor-level access to trusted users only and review existing contributor accounts for suspicious activity. Implementing a Web Application Firewall (WAF) with rules to detect and block suspicious shortcode attribute inputs can help reduce exploitation risk. Additionally, site owners should sanitize and validate all user inputs manually if custom modifications are made to the plugin or shortcode usage. Regular security audits and monitoring for unusual script injections or page modifications are recommended. Employing Content Security Policy (CSP) headers can limit the impact of injected scripts by restricting script sources. Finally, educating content contributors about safe input practices and monitoring logs for anomalous behavior will further reduce risk.