CVE-2024-12623 is a stored cross-site scripting vulnerability classified under CWE-79 affecting the ivmartel DICOM Support plugin for WordPress, specifically in all versions up to and including 0.10.6. The vulnerability stems from insufficient sanitization and escaping of user-supplied attributes within the plugin's 'dcm' shortcode, which is used to embed DICOM medical imaging data in WordPress pages. Authenticated users with contributor-level or higher access can exploit this flaw by injecting arbitrary JavaScript code into pages via the shortcode attributes. When other users visit these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions performed with the victim's credentials. The vulnerability requires authentication but no user interaction to trigger once the malicious content is stored and viewed. The CVSS 3.1 base score of 6.4 reflects a medium severity level, with network attack vector, low complexity, privileges required, no user interaction, and a scope change indicating that the vulnerability affects resources beyond the initially compromised component. Although no known exploits have been reported in the wild, the presence of this vulnerability in a plugin used to handle sensitive medical imaging data raises concerns about confidentiality and integrity of protected health information. The plugin’s widespread use in healthcare-related WordPress sites increases the attack surface. The lack of available patches at the time of publication necessitates immediate mitigation efforts by administrators.

The primary impact of CVE-2024-12623 is the compromise of confidentiality and integrity of user sessions and data on affected WordPress sites. Attackers with contributor-level access can embed malicious scripts that execute in the context of other users, including administrators, enabling theft of authentication tokens, cookies, or other sensitive information. This can lead to unauthorized access, data leakage, or manipulation of site content. Since the vulnerability affects a plugin handling DICOM medical imaging data, there is an elevated risk of exposure or tampering with protected health information, which can have regulatory and reputational consequences for healthcare organizations. The vulnerability does not directly affect availability but can facilitate further attacks that degrade service or compromise system integrity. Organizations with multiple contributors or public-facing WordPress sites are at higher risk, as the attack requires authenticated access but no user interaction to trigger. The medium CVSS score reflects moderate risk, but the sensitive nature of the data involved and potential for privilege escalation elevate the overall impact. Failure to mitigate this vulnerability could lead to targeted attacks against healthcare providers, patient data breaches, and compliance violations under regulations such as HIPAA or GDPR.

To mitigate CVE-2024-12623, organizations should first check for and apply any official patches or updates released by ivmartel for the DICOM Support plugin. If patches are not yet available, administrators should restrict contributor-level and higher access to trusted users only, minimizing the risk of malicious shortcode injection. Implementing a web application firewall (WAF) with rules to detect and block suspicious shortcode attribute patterns or script tags can help prevent exploitation. Site administrators should audit existing content for injected scripts and remove any suspicious shortcode usage. Employing Content Security Policy (CSP) headers can reduce the impact of XSS by restricting the execution of unauthorized scripts. Additionally, hardening WordPress security by enforcing strong authentication, limiting plugin usage, and regularly monitoring logs for unusual activity is recommended. For healthcare organizations, ensuring compliance with data protection standards and conducting security awareness training for contributors can further reduce risk. Finally, consider isolating or sandboxing the plugin’s output where feasible to limit script execution scope.