CVE-2024-12813 is a stored cross-site scripting (XSS) vulnerability identified in the Open Hours – Easy Opening Hours WordPress plugin developed by pixelgrade. This vulnerability exists in all versions up to and including 1.0.9. The root cause is insufficient sanitization and escaping of user-supplied attributes passed through the 'open-hours-current-status' shortcode, which allows authenticated users with contributor-level privileges or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing actions on behalf of the victim. The vulnerability leverages CWE-79, indicating improper neutralization of input during web page generation. Exploitation requires authentication but no additional user interaction, and the attack surface is scoped to WordPress sites using this plugin. The CVSS v3.1 base score is 6.4, reflecting network attack vector, low attack complexity, privileges required, no user interaction, and partial confidentiality and integrity impact. No public exploits have been reported yet, but the vulnerability poses a significant risk to sites that allow contributor-level users to add or edit content using the vulnerable shortcode.

The primary impact of this vulnerability is the potential for stored XSS attacks, which can lead to session hijacking, defacement, unauthorized actions performed in the context of the victim user, and possible data theft. Since the vulnerability requires contributor-level access, attackers who have compromised or obtained such credentials can leverage this flaw to escalate their impact beyond their privileges. This can undermine trust in affected websites, damage brand reputation, and lead to data breaches or further compromise of user accounts. For organizations running WordPress sites with this plugin, especially those with multiple content contributors, the risk includes unauthorized content manipulation and potential spread of malware or phishing via injected scripts. The vulnerability does not affect availability directly but compromises confidentiality and integrity of user sessions and data.

Organizations should immediately update the Open Hours – Easy Opening Hours plugin to a version that patches this vulnerability once available. Until a patch is released, administrators should restrict contributor-level access to trusted users only and consider temporarily disabling the plugin or the vulnerable shortcode. Implementing a Web Application Firewall (WAF) with rules to detect and block suspicious script injections in shortcode parameters can provide interim protection. Additionally, site owners should audit existing content for injected scripts and remove any malicious payloads. Enforcing strict Content Security Policy (CSP) headers can help mitigate the impact of XSS by restricting script execution sources. Regularly reviewing user roles and permissions to minimize unnecessary contributor access reduces the attack surface. Monitoring logs for unusual activity related to shortcode usage can aid in early detection of exploitation attempts.