CVE-2024-12528 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79 that affects the WordPress Survey & Poll – Quiz, Survey and Poll Plugin developed by pantherius. This vulnerability exists in all versions up to and including 1.7.5 due to improper neutralization of user-supplied input in the 'wpsurveypoll_results' shortcode. Specifically, the plugin fails to adequately sanitize and escape input attributes, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing unauthorized actions on their behalf. The vulnerability requires no user interaction beyond viewing the affected page but does require the attacker to have contributor or higher privileges, which limits exploitation to insiders or compromised accounts. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) reflects network attack vector, low attack complexity, privileges required, no user interaction, scope change, and partial impact on confidentiality and integrity but no impact on availability. No public exploits have been reported yet, but the vulnerability poses a significant risk due to the widespread use of WordPress and this plugin. The lack of a patch at the time of reporting necessitates interim mitigations such as restricting contributor access and monitoring for suspicious shortcode usage.

The primary impact of CVE-2024-12528 is the compromise of confidentiality and integrity within affected WordPress sites. Attackers with contributor-level access can inject persistent malicious scripts that execute in the browsers of site visitors and administrators, potentially leading to session hijacking, theft of sensitive information, unauthorized actions, or site defacement. This can erode user trust, damage brand reputation, and expose organizations to further attacks such as privilege escalation or data exfiltration. Because the vulnerability requires authenticated access, the risk is higher in environments with many contributors or weak account controls. The scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the initially compromised component, potentially impacting the entire site. Although availability is not directly affected, the indirect consequences of exploitation, such as administrative lockout or cleanup efforts, can disrupt operations. Organizations relying on this plugin for surveys and polls may face data integrity issues and user privacy violations if exploited.

1. Immediately restrict contributor-level and higher user permissions to trusted personnel only, minimizing the risk of malicious script injection. 2. Monitor and audit all uses of the 'wpsurveypoll_results' shortcode for suspicious or unexpected content. 3. Apply strict input validation and output encoding on all user-supplied data related to the plugin, either via custom code or security plugins that enforce sanitization. 4. Disable or remove the vulnerable plugin if it is not essential to reduce the attack surface. 5. Stay alert for official patches or updates from pantherius and apply them promptly once released. 6. Implement a Web Application Firewall (WAF) with rules to detect and block common XSS payloads targeting this plugin. 7. Educate site administrators and contributors about the risks of XSS and safe content management practices. 8. Regularly back up site data to enable recovery in case of compromise. 9. Use security plugins that can detect and alert on unauthorized script injections or changes in shortcode content. 10. Consider deploying Content Security Policy (CSP) headers to limit the impact of injected scripts.