CVE-2024-12633 is a reflected Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress developed by beardev. The flaw exists in all versions up to and including 5.6.17, where the plugin fails to properly sanitize and escape user-supplied input in the 'page' parameter during web page generation. This improper neutralization allows an attacker to craft malicious URLs containing JavaScript code that, when clicked by an unsuspecting user, executes within the context of the victim’s browser session. Since the vulnerability is reflected, the malicious script is not stored but immediately reflected back in the HTTP response. The attack vector is remote and requires no authentication, but user interaction is necessary to trigger the exploit. The vulnerability impacts confidentiality, integrity, and availability by enabling session hijacking, theft of cookies or credentials, and potentially unauthorized actions on the affected WordPress site. The CVSS 3.1 base score is 7.1, reflecting a high severity with network attack vector, low attack complexity, no privileges required, but requiring user interaction and resulting in a scope change. No patches or exploit code are currently publicly available, but the risk remains significant given the plugin’s usage in sports-related WordPress sites worldwide.

The vulnerability poses a significant risk to organizations running WordPress sites with the JoomSport plugin, especially those managing sports teams, leagues, or fan engagement platforms. Successful exploitation can lead to session hijacking, credential theft, defacement, or unauthorized actions performed under the victim’s identity, potentially damaging reputation and user trust. Attackers could leverage this to spread malware, conduct phishing campaigns, or pivot to further attacks within the organization’s network. The reflected nature means attacks require social engineering to lure users into clicking malicious links, which can be distributed via email, social media, or forums. Given WordPress’s extensive global adoption and the popularity of sports-related content, a large number of websites and their users are at risk. The vulnerability could also affect site availability if exploited to inject disruptive scripts. Organizations with high traffic sports websites or those handling sensitive user data are particularly vulnerable to reputational and operational impacts.

Organizations should immediately update the JoomSport plugin to a version that addresses this vulnerability once available. In the absence of an official patch, administrators can implement Web Application Firewall (WAF) rules to detect and block malicious payloads targeting the 'page' parameter. Input validation and output encoding should be enforced at the application level to neutralize script injection attempts. Site owners should educate users about the risks of clicking suspicious links and implement Content Security Policy (CSP) headers to restrict script execution sources. Regular security audits and monitoring for unusual activity related to the plugin are recommended. Additionally, disabling or removing the plugin temporarily can mitigate risk if patching is delayed. Logging and alerting on anomalous HTTP requests containing suspicious script patterns in query parameters can help detect exploitation attempts early.