CVE-2024-12525 identifies a stored cross-site scripting vulnerability in the Easy MLS Listings Import plugin for WordPress, specifically in the 'homeasap-featured-listings' shortcode. The vulnerability stems from insufficient input sanitization and output escaping of user-supplied shortcode attributes, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code. Because the malicious script is stored and rendered on pages accessed by other users, it can execute automatically without additional user interaction. The vulnerability affects all versions up to and including 2.0.1. Exploitation requires authentication but no user interaction beyond viewing the compromised page. The CVSS 3.1 base score is 6.4, indicating medium severity, with attack vector being network, low attack complexity, privileges required, no user interaction, and scope changed due to impact on other users. The vulnerability can lead to partial confidentiality and integrity loss, such as stealing cookies, session tokens, or performing actions on behalf of other users. No public exploits have been reported yet, but the risk remains significant due to the widespread use of WordPress and this plugin in real estate listing websites. The vulnerability was published on February 18, 2025, and assigned by Wordfence.

The vulnerability allows authenticated users with contributor-level access or higher to inject malicious scripts that execute in the browsers of other users viewing the affected pages. This can lead to theft of session cookies, enabling account takeover, unauthorized actions performed on behalf of other users, defacement of website content, or distribution of malware. Since WordPress powers a large number of websites globally, especially in real estate and property listing sectors where this plugin is used, the impact can be significant for organizations relying on this plugin. The compromise of user accounts or administrative sessions can lead to data breaches, loss of customer trust, and potential regulatory penalties. The vulnerability does not directly affect availability but can disrupt normal operations through defacement or unauthorized changes. The requirement for authenticated access limits the attack surface but does not eliminate risk, especially in environments with many contributors or weak access controls.

Organizations should immediately update the Easy MLS Listings Import plugin to a version that addresses this vulnerability once released by the vendor. Until a patch is available, administrators should restrict contributor-level access to trusted users only and review user roles to minimize exposure. Implementing a web application firewall (WAF) with rules to detect and block XSS payloads targeting the 'homeasap-featured-listings' shortcode can provide temporary protection. Regularly audit and sanitize existing content generated via this shortcode to remove any injected scripts. Employ Content Security Policy (CSP) headers to restrict execution of unauthorized scripts on affected pages. Educate content contributors about safe input practices and monitor logs for suspicious activity. Finally, maintain regular backups and incident response plans to quickly recover from any exploitation.