CVE-2024-12817 is a stored cross-site scripting vulnerability identified in the Etsy Importer plugin for WordPress, maintained by coreymcollins. The flaw exists in all versions up to and including 1.4.2 within the 'product_link' shortcode functionality. The root cause is insufficient input sanitization and output escaping of user-supplied attributes, specifically the 'product_link' shortcode parameters. Authenticated attackers with contributor-level privileges or higher can inject arbitrary JavaScript code into pages generated by the plugin. Because the malicious script is stored persistently, it executes every time a user accesses the compromised page, potentially affecting site administrators, editors, and visitors. The vulnerability leverages CWE-79, which concerns improper neutralization of input during web page generation. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, required privileges (low), no user interaction, and a scope change with partial confidentiality and integrity impact but no availability impact. No public exploits have been reported yet, but the vulnerability poses a significant risk given WordPress’s widespread use and the plugin’s role in importing Etsy products. The vulnerability’s exploitation could lead to session hijacking, unauthorized actions on behalf of users, defacement, or distribution of malware.

The impact of this vulnerability is primarily on the confidentiality and integrity of affected WordPress sites. Attackers with contributor-level access can inject malicious scripts that execute in the context of other users, including administrators, potentially leading to session hijacking, privilege escalation, or unauthorized actions. This can compromise site data, user credentials, and trustworthiness of the website. Since the vulnerability is stored XSS, the malicious payload persists and affects every visitor to the infected page, increasing the attack surface. Organizations relying on the Etsy Importer plugin risk website defacement, data theft, and reputational damage. The vulnerability does not impact availability directly but can indirectly cause service disruption if exploited for further attacks. Given WordPress’s popularity and the plugin’s niche in e-commerce integration, small to medium businesses using Etsy Importer are particularly at risk.

To mitigate this vulnerability, organizations should first update the Etsy Importer plugin to a version that addresses the issue once released by the vendor. Until a patch is available, administrators should restrict contributor-level access to trusted users only, minimizing the risk of malicious input injection. Implementing a Web Application Firewall (WAF) with rules to detect and block XSS payloads targeting the 'product_link' shortcode parameters can provide temporary protection. Site owners should audit existing content generated by the plugin for injected scripts and remove any suspicious code. Additionally, applying strict Content Security Policy (CSP) headers can limit the impact of injected scripts by restricting script sources. Regular security reviews and user privilege audits will help reduce the attack surface. Finally, monitoring logs for unusual activity related to the plugin’s shortcode usage can aid in early detection of exploitation attempts.