CVE-2024-12598 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, found in the MyBookProgress plugin for WordPress developed by Stormhill Media. This vulnerability affects all versions up to and including 1.0.8. The root cause is the plugin's failure to properly sanitize and escape user input submitted via the 'book' parameter. Authenticated users with Contributor-level permissions or higher can inject arbitrary JavaScript code into pages generated by the plugin. Because the malicious script is stored persistently, it executes in the browsers of any users who view the infected pages, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress site. The vulnerability does not require user interaction beyond viewing the page, and no authentication bypass is involved since the attacker must have at least Contributor access. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and no user interaction required. The scope is changed because the vulnerability affects multiple users who access the injected content. No official patches are currently listed, and no known exploits have been observed in the wild. The vulnerability highlights the importance of rigorous input validation and output encoding in WordPress plugin development to prevent XSS attacks.

The impact of CVE-2024-12598 on organizations worldwide can be significant, especially for those relying on the MyBookProgress plugin to manage book progress tracking on WordPress sites. Exploitation allows attackers with Contributor-level access to inject persistent malicious scripts, which execute in the context of other users' browsers. This can lead to theft of authentication cookies, enabling session hijacking and unauthorized access to user accounts, including potentially higher-privileged roles. Attackers might also perform actions on behalf of victims, such as changing content or settings, leading to integrity loss. Although the vulnerability does not directly affect availability, the compromise of user accounts and site integrity can result in reputational damage, loss of user trust, and potential data breaches. Since Contributor-level access is required, the threat is somewhat limited to environments where such user roles are assigned to untrusted or semi-trusted users. However, many WordPress sites allow multiple contributors, increasing the attack surface. The lack of known exploits in the wild reduces immediate risk but does not eliminate it, as the vulnerability is publicly disclosed and could be weaponized. Organizations with high-value WordPress sites or sensitive user data should consider this vulnerability a moderate risk requiring timely remediation.

To mitigate CVE-2024-12598, organizations should first check for updates or patches from Stormhill Media or the plugin maintainers and apply them promptly once available. In the absence of official patches, administrators can implement the following measures: 1) Restrict Contributor-level permissions to trusted users only, minimizing the risk of malicious script injection. 2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious input patterns targeting the 'book' parameter. 3) Use security plugins that provide XSS protection and content sanitization layers for WordPress. 4) Conduct regular security audits and code reviews of installed plugins to identify and remediate insecure input handling. 5) Educate site administrators and contributors about the risks of XSS and safe content submission practices. 6) Consider disabling or replacing the MyBookProgress plugin with alternatives that follow secure coding practices if immediate patching is not feasible. 7) Monitor site logs and user activity for signs of exploitation or unusual behavior. These steps, combined with timely patching, will reduce the likelihood and impact of exploitation.