CVE-2024-12716 is a medium-severity vulnerability classified as a Stored Cross-Site Scripting (XSS) issue (CWE-79) found in the Simple Basic Contact Form WordPress plugin versions prior to 20250114. The vulnerability arises because the plugin fails to properly sanitize and escape certain settings inputs. This flaw allows users with high privileges, such as administrators, to inject malicious scripts that are stored persistently within the plugin's data. Notably, this vulnerability can be exploited even when the WordPress capability 'unfiltered_html' is disabled, such as in multisite environments, which typically restricts the ability to post unfiltered HTML. The CVSS 3.1 base score is 4.8, reflecting a medium severity level, with an attack vector of network (remote exploitation), low attack complexity, requiring high privileges, and user interaction (the admin must perform some action to trigger the exploit). The impact affects confidentiality and integrity but not availability, and the scope is changed, meaning the vulnerability can affect resources beyond the initially vulnerable component. No known exploits are currently reported in the wild, and no patches or fixes have been linked yet. The vulnerability primarily targets the plugin's settings interface, where malicious scripts can be injected and later executed in the context of users who view the affected settings, potentially leading to session hijacking, privilege escalation, or other malicious actions within the WordPress environment.

For European organizations using WordPress sites with the Simple Basic Contact Form plugin, this vulnerability poses a risk primarily to site integrity and confidentiality. Attackers with admin-level access can embed malicious scripts that execute when other privileged users access the plugin settings, potentially leading to credential theft, unauthorized actions, or further compromise of the website. This is particularly concerning for organizations managing multisite WordPress installations, common in educational institutions, government agencies, and enterprises, where the usual restrictions on HTML content are bypassed. While the vulnerability does not directly affect availability, the compromise of administrative accounts or site integrity can lead to reputational damage, data breaches, and regulatory non-compliance under GDPR if personal data is exposed or manipulated. The medium severity score indicates a moderate risk, but the requirement for high privileges limits exploitation to insiders or attackers who have already breached initial defenses. Nonetheless, the persistence of the injected scripts increases the risk of prolonged compromise if not detected and remediated promptly.

European organizations should immediately verify if the Simple Basic Contact Form plugin is installed and identify the version in use. Since no official patch links are provided, organizations should monitor the plugin vendor's official channels for updates and apply the fixed version 20250114 or later as soon as it becomes available. In the interim, restrict administrative access strictly to trusted personnel and audit admin accounts for suspicious activity. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious script injections targeting plugin settings. Conduct regular security reviews of plugin settings pages and sanitize any user inputs manually if possible. Additionally, implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts within the WordPress admin interface. For multisite environments, review and tighten capability assignments to minimize the number of users with high privileges. Finally, maintain comprehensive logging and monitoring to detect any anomalous behavior indicative of exploitation attempts.