CVE-2024-12621 is a stored cross-site scripting vulnerability identified in the Yumpu E-Paper publishing plugin for WordPress, affecting all versions up to and including 3.0.8. The vulnerability stems from improper neutralization of input during web page generation, specifically within the plugin's 'YUMPU' shortcode. The plugin fails to sufficiently sanitize and escape user-supplied attributes, allowing authenticated attackers with contributor-level or higher privileges to inject arbitrary JavaScript code into pages. Once injected, the malicious scripts execute in the context of any user who views the compromised page, potentially leading to session hijacking, data theft, or unauthorized actions performed on behalf of the victim user. The vulnerability does not require user interaction to trigger once the malicious content is stored and viewed. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and privileges required. The scope is changed, indicating that the vulnerability can affect resources beyond the attacker’s privileges. No patches or exploit code are currently publicly available, but the risk remains significant due to the widespread use of WordPress and the plugin in digital publishing environments.

The primary impact of this vulnerability is on the confidentiality and integrity of affected WordPress sites using the Yumpu E-Paper publishing plugin. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of site visitors or administrators, potentially leading to session hijacking, credential theft, unauthorized actions, or distribution of malware. This can undermine user trust, damage brand reputation, and lead to data breaches. Since the vulnerability does not affect availability directly, denial of service is less likely. However, the ability to execute arbitrary scripts can facilitate further attacks such as privilege escalation or lateral movement within the site. Organizations relying on this plugin for digital publishing may face compliance and regulatory risks if user data is compromised. The medium CVSS score suggests moderate risk, but the ease of exploitation by authenticated users and the potential for widespread impact on site visitors elevate the concern.

To mitigate this vulnerability, organizations should immediately upgrade the Yumpu E-Paper publishing plugin to a version that addresses the issue once available. In the absence of an official patch, administrators should restrict contributor-level access to trusted users only and review user roles to minimize exposure. Implementing a Web Application Firewall (WAF) with rules to detect and block suspicious script injections in shortcode attributes can provide temporary protection. Additionally, site owners should audit existing content for injected scripts and remove any malicious code. Employing Content Security Policy (CSP) headers can reduce the impact of XSS by restricting script execution sources. Developers maintaining the plugin should apply proper input validation and output encoding on all user-supplied data, especially within shortcode attributes. Regular security scanning and monitoring for anomalous activity related to script injection are also recommended.