CVE-2024-12590 is a stored cross-site scripting vulnerability identified in the WP Youtube Gallery plugin for WordPress, maintained by india-web-developer. The flaw exists due to insufficient sanitization and escaping of the 'id' parameter during web page generation, which allows an attacker with at least Contributor-level privileges to inject arbitrary JavaScript code into pages generated by the plugin. Because the malicious script is stored persistently, it executes every time a user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability affects all versions up to and including 1.9 of the plugin. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No patches or fixes are currently linked, and no known exploits have been observed in the wild. This vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. Since WordPress is widely used globally and this plugin is popular for embedding YouTube galleries, the vulnerability poses a significant risk to websites that allow contributors or higher roles to upload or modify content. Attackers exploiting this flaw could compromise site visitors and administrators, leading to data theft or site defacement.

The impact of CVE-2024-12590 is primarily on the confidentiality and integrity of affected WordPress sites and their users. By exploiting this stored XSS vulnerability, attackers can execute arbitrary scripts in the context of the victim's browser, potentially stealing session cookies, redirecting users to malicious sites, or performing unauthorized actions on behalf of users with elevated privileges. This can lead to account takeover, data leakage, and reputational damage. Since the vulnerability requires Contributor-level access, it limits exploitation to attackers who have already gained some level of trust or access, but this is a common scenario in multi-user WordPress environments. The scope change in the CVSS vector indicates that the attack can affect resources beyond the vulnerable component, potentially impacting the entire website and its users. Organizations relying on this plugin for content management or media display face risks of persistent compromise and user exploitation. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as proof-of-concept code may emerge. The vulnerability also poses a risk to website visitors who may be exposed to malicious payloads unknowingly.

To mitigate CVE-2024-12590, organizations should first check for and apply any available updates or patches from the plugin vendor or WordPress repository once released. In the absence of an official patch, administrators should consider temporarily disabling or uninstalling the WP Youtube Gallery plugin to eliminate the attack surface. Restrict Contributor-level and higher privileges to trusted users only, and audit existing content for injected scripts or suspicious code. Implement Web Application Firewall (WAF) rules that detect and block malicious script payloads targeting the 'id' parameter or related plugin endpoints. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on the site. Regularly scan the website for XSS vulnerabilities using automated tools and manual testing. Educate content contributors about secure content practices and the risks of injecting untrusted input. Monitor logs for unusual activity or attempts to exploit the plugin. Finally, consider alternative plugins with better security track records if the vendor does not provide timely fixes.