CVE-2024-12814 identifies a stored cross-site scripting (XSS) vulnerability in the aerin Loan Comparison plugin for WordPress, affecting all versions up to and including 2.0. The vulnerability stems from insufficient sanitization and escaping of user-supplied attributes within the plugin's 'loancomparison' shortcode. This flaw allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially compromising session tokens, user data, or enabling unauthorized actions. The vulnerability does not require user interaction beyond page access and has a CVSS 3.1 base score of 6.4, reflecting medium severity. The attack vector is network-based with low attack complexity, requiring privileges but no user interaction. The scope is changed (S:C), as the vulnerability affects resources beyond the attacker’s privileges, impacting confidentiality and integrity but not availability. No public exploits have been reported yet, but the risk remains significant due to the widespread use of WordPress and the plugin’s role in financial comparison services. The vulnerability is cataloged under CWE-79, highlighting improper neutralization of input during web page generation. The lack of an official patch at the time of disclosure necessitates immediate defensive measures.

The primary impact of this vulnerability is the potential compromise of user confidentiality and integrity on affected WordPress sites using the Loan Comparison plugin. Attackers with contributor-level access can inject malicious scripts that execute in the context of other users’ browsers, enabling session hijacking, credential theft, defacement, or unauthorized actions such as changing content or escalating privileges. This can damage organizational reputation, lead to data breaches, and facilitate further attacks within the network. Although availability is not directly affected, the indirect consequences of trust erosion and potential regulatory penalties for data exposure can be severe. Financial service websites using this plugin are particularly sensitive targets due to the nature of their data and user base. The vulnerability’s exploitation requires authenticated access, limiting exposure to insiders or compromised accounts, but the risk remains high in environments with many contributors or weak access controls. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as proof-of-concept code could emerge.

Organizations should immediately review and restrict contributor-level access to trusted users only, minimizing the number of accounts that can exploit this vulnerability. Until an official patch is released, implement manual input validation and output escaping for any user-supplied data processed by the 'loancomparison' shortcode. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious script injection attempts targeting this plugin. Regularly audit WordPress user roles and permissions to ensure least privilege principles are enforced. Monitor logs and user activity for unusual behavior indicative of exploitation attempts. Consider temporarily disabling the Loan Comparison plugin if it is not critical to operations. Stay updated with vendor announcements for patches and apply them promptly once available. Additionally, educate content contributors about the risks of injecting untrusted content and enforce secure content management policies. Employ Content Security Policy (CSP) headers to limit the impact of any injected scripts.