CVE-2024-12527 is a stored cross-site scripting (XSS) vulnerability identified in the Perfect Portal Widgets plugin for WordPress, specifically in the 'perfect_portal_intake_form' shortcode. This vulnerability exists due to insufficient sanitization and escaping of user-supplied attributes, allowing authenticated users with contributor-level access or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing unauthorized actions on behalf of the victim. The vulnerability affects all versions up to and including 3.0.3 of the plugin. The CVSS 3.1 base score of 6.4 reflects a medium severity, with an attack vector over the network, low attack complexity, requiring privileges (contributor or above), no user interaction, and a scope change indicating that the impact extends beyond the initially vulnerable component. The impact includes limited confidentiality and integrity loss but no availability impact. No public exploits have been reported yet, but the vulnerability is significant because contributor-level users are common in WordPress environments, and stored XSS can be leveraged for persistent attacks. The plugin's widespread use in WordPress sites increases the attack surface. The vulnerability was published on January 11, 2025, and no official patches or updates are currently linked, emphasizing the need for immediate mitigation steps by administrators.

The primary impact of CVE-2024-12527 is the potential for persistent cross-site scripting attacks on WordPress sites using the Perfect Portal Widgets plugin. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of any users visiting the affected pages, including administrators and other privileged users. This can lead to session hijacking, credential theft, unauthorized actions performed with victim privileges, and potential site defacement or redirection to malicious sites. Although the vulnerability does not directly affect availability, the compromise of user sessions and site integrity can result in significant operational disruption and reputational damage. Organizations relying on this plugin face risks of data leakage and unauthorized access, especially if attackers escalate privileges or leverage the XSS to deploy further attacks such as malware distribution or phishing. The scope of affected systems is limited to WordPress sites with this plugin installed, but given WordPress's global popularity and the plugin's usage, the potential impact is broad. The requirement for contributor-level privileges reduces the attack surface but does not eliminate risk, as contributor accounts are common in multi-author blogs and corporate sites. The absence of known exploits in the wild currently lowers immediate risk but does not preclude future exploitation.

1. Immediately restrict contributor-level access to trusted users only, minimizing the number of accounts that can exploit this vulnerability. 2. Monitor and audit user-generated content submitted via the 'perfect_portal_intake_form' shortcode for suspicious or unexpected scripts or HTML tags. 3. Apply manual input sanitization and output escaping in the plugin's shortcode if possible, or disable the shortcode temporarily until an official patch is released. 4. Employ Web Application Firewalls (WAFs) with rules to detect and block common XSS payloads targeting this plugin. 5. Educate site administrators and contributors about the risks of injecting untrusted content and encourage safe content submission practices. 6. Regularly back up site data and configurations to enable quick recovery if exploitation occurs. 7. Stay updated with vendor announcements for patches or updates addressing this vulnerability and apply them promptly once available. 8. Consider using security plugins that can detect and neutralize XSS attempts or anomalous script injections. 9. Limit the use of third-party plugins and shortcodes to those that are actively maintained and vetted for security.