CVE-2024-12808 is a medium-severity stored Cross-Site Scripting (XSS) vulnerability affecting the WordPress plugin 'WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting' in versions prior to 1.13.4. This plugin integrates HR, recruitment, job listings, CRM, and accounting functionalities into WordPress sites. The vulnerability arises because certain plugin settings are not properly sanitized or escaped before being stored and rendered. This flaw allows users with high privileges, such as administrators, to inject malicious JavaScript code that is persistently stored and executed in the context of other users viewing the affected pages. Notably, this vulnerability can be exploited even when the WordPress capability 'unfiltered_html' is disabled, such as in multisite environments, which normally restricts the ability to post unfiltered HTML content. The CVSS 3.1 base score is 4.8, reflecting a medium severity level, with an attack vector of network, low attack complexity, requiring high privileges, and user interaction. The impact primarily affects confidentiality and integrity, as malicious scripts can steal session tokens, perform actions on behalf of users, or manipulate displayed data. There are no known exploits in the wild at the time of publication, and no official patches have been linked yet. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. Given the plugin’s role in managing sensitive HR and financial data, exploitation could lead to unauthorized data disclosure or manipulation within affected WordPress sites.

For European organizations, especially those using WordPress sites with the WP ERP plugin for HR, recruitment, CRM, or accounting purposes, this vulnerability poses a risk of unauthorized data access and manipulation. Attackers with administrative access could inject malicious scripts that compromise the confidentiality of employee records, recruitment data, or financial information. This could lead to data breaches violating GDPR requirements, resulting in regulatory penalties and reputational damage. Additionally, the stored XSS could be leveraged to escalate privileges or pivot attacks within the organization’s network. Multisite WordPress setups, common in larger enterprises or agencies managing multiple client sites, are particularly at risk since the vulnerability bypasses the usual 'unfiltered_html' restrictions. The impact on availability is minimal, but the integrity and confidentiality of critical business data are at risk. Given the sensitive nature of HR and accounting data, the threat could also affect trust with employees and clients, and potentially expose organizations to fraud or insider threats.

European organizations should immediately audit their WordPress installations to identify the presence and version of the WP ERP plugin. Until an official patch is released, organizations should restrict administrative access to trusted personnel only and review user roles to minimize the number of high-privilege accounts. Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Regularly back up WordPress data and configurations to enable quick recovery if exploitation occurs. Monitor logs for unusual administrative activity or unexpected changes in plugin settings. Consider deploying Web Application Firewalls (WAFs) with rules to detect and block XSS payloads targeting the plugin’s known vulnerable parameters. For multisite environments, enforce stricter role management and consider temporarily disabling the plugin on less critical sites. Once a patch is available, prioritize prompt updating of the plugin to version 1.13.4 or later. Additionally, educate administrators on the risks of stored XSS and safe content management practices within WordPress.