CVE-2024-12815 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Point Maker plugin for WordPress, developed by zipang. The flaw exists in all versions up to and including 0.1.6, due to insufficient sanitization and escaping of user-supplied input within the plugin's 'point_maker' shortcode. Specifically, authenticated users with contributor-level or higher permissions can inject arbitrary JavaScript code into pages generated by the plugin. This malicious code is stored persistently and executed in the browsers of any users who visit the infected pages, potentially leading to session hijacking, unauthorized actions, or data theft. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability affects all installations of the plugin up to version 0.1.6, which may be present in WordPress sites worldwide, especially those allowing contributor-level user roles. The exploitability is moderate due to the need for authenticated access, but the impact can be significant if exploited.

The primary impact of CVE-2024-12815 is the compromise of confidentiality and integrity of affected WordPress sites using the Point Maker plugin. An attacker with contributor-level access can inject persistent malicious scripts that execute in the context of other users, including administrators, potentially leading to session hijacking, privilege escalation, defacement, or data theft. This can undermine trust in the affected websites and lead to reputational damage, data breaches, or further compromise of internal systems. Since the vulnerability requires authenticated access, the risk is higher in environments with weak user access controls or where contributor accounts are easily obtained or compromised. The scope is significant because WordPress is widely used globally, and the plugin may be installed on numerous sites, including corporate, educational, and governmental portals. Although no availability impact is noted, the indirect consequences of exploitation can disrupt normal operations and require incident response efforts.

To mitigate CVE-2024-12815, organizations should first verify if they use the Point Maker plugin and identify the version in use. Since no official patch is currently linked, immediate steps include restricting contributor-level access to trusted users only and auditing existing content for injected scripts. Administrators should implement strict input validation and output escaping at the application level if possible, or temporarily disable the plugin until a secure update is released. Employing Web Application Firewalls (WAFs) with rules to detect and block XSS payloads targeting the 'point_maker' shortcode can reduce risk. Monitoring logs for suspicious activity from contributor accounts is recommended. Additionally, educating users about the risks of elevated privileges and enforcing strong authentication mechanisms will limit exploitation opportunities. Once a patch is available, prompt application is critical. Regular security assessments and plugin updates should be part of ongoing maintenance.