CVE-2024-12818: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in robdavenport WP Smart TV
CVE-2024-12818 is a stored cross-site scripting (XSS) vulnerability in the WP Smart TV WordPress plugin up to version 2. 1. 8. It arises from improper input sanitization and output escaping in the 'tv-video-player' shortcode, allowing authenticated users with contributor-level access or higher to inject malicious scripts. These scripts execute whenever any user views the affected page, potentially compromising user data and session integrity. The vulnerability has a CVSS score of 6. 4, indicating medium severity, with no known exploits in the wild as of now. Exploitation requires authentication but no user interaction beyond page viewing. Organizations running WordPress sites with this plugin should prioritize patching or mitigating this flaw to prevent potential account compromise or data theft. The threat primarily affects websites globally where this plugin is used, especially in countries with high WordPress adoption.
AI Analysis
Technical Summary
CVE-2024-12818 is a stored cross-site scripting vulnerability identified in the WP Smart TV plugin for WordPress, affecting all versions up to and including 2.1.8. The vulnerability stems from improper neutralization of input during web page generation, specifically within the 'tv-video-player' shortcode. This shortcode fails to adequately sanitize and escape user-supplied attributes, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or data theft. The vulnerability requires authentication but no further user interaction, and it affects the confidentiality and integrity of user data. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and privileges required. No public exploits have been reported yet, but the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple contributors. The lack of available patches at the time of reporting necessitates immediate mitigation efforts by site administrators.
Potential Impact
The primary impact of CVE-2024-12818 is the potential compromise of user confidentiality and integrity on affected WordPress sites. Attackers with contributor-level access can inject malicious scripts that execute in the context of other users' browsers, enabling theft of session cookies, redirection to malicious sites, or unauthorized actions performed on behalf of victims. This can lead to account takeover, data leakage, and erosion of user trust. Since the vulnerability is stored XSS, the malicious payload persists on the site, increasing the attack surface and potential for widespread impact. Organizations relying on WP Smart TV for video content embedding face risks of reputational damage and regulatory consequences if user data is compromised. The medium CVSS score reflects that while exploitation requires some privileges, the attack can be performed remotely without user interaction, making it a notable threat to multi-user WordPress environments worldwide.
Mitigation Recommendations
To mitigate CVE-2024-12818, organizations should first restrict contributor-level permissions to trusted users only, minimizing the risk of malicious script injection. Administrators should monitor and audit content created via the 'tv-video-player' shortcode for suspicious code or unexpected behavior. Until an official patch is released, applying web application firewall (WAF) rules to detect and block common XSS payloads targeting this shortcode can reduce exposure. Employing Content Security Policy (CSP) headers can help limit the impact of injected scripts by restricting script sources. Site owners should also consider temporarily disabling or replacing the WP Smart TV plugin if feasible. Regular backups and incident response plans should be in place to recover from potential compromises. Finally, stay updated with vendor advisories for patches and apply them promptly once available.
Affected Countries
United States, United Kingdom, Germany, Canada, Australia, France, India, Brazil, Japan, Netherlands, Italy, Spain
CVE-2024-12818: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in robdavenport WP Smart TV
Description
CVE-2024-12818 is a stored cross-site scripting (XSS) vulnerability in the WP Smart TV WordPress plugin up to version 2. 1. 8. It arises from improper input sanitization and output escaping in the 'tv-video-player' shortcode, allowing authenticated users with contributor-level access or higher to inject malicious scripts. These scripts execute whenever any user views the affected page, potentially compromising user data and session integrity. The vulnerability has a CVSS score of 6. 4, indicating medium severity, with no known exploits in the wild as of now. Exploitation requires authentication but no user interaction beyond page viewing. Organizations running WordPress sites with this plugin should prioritize patching or mitigating this flaw to prevent potential account compromise or data theft. The threat primarily affects websites globally where this plugin is used, especially in countries with high WordPress adoption.
AI-Powered Analysis
Technical Analysis
CVE-2024-12818 is a stored cross-site scripting vulnerability identified in the WP Smart TV plugin for WordPress, affecting all versions up to and including 2.1.8. The vulnerability stems from improper neutralization of input during web page generation, specifically within the 'tv-video-player' shortcode. This shortcode fails to adequately sanitize and escape user-supplied attributes, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or data theft. The vulnerability requires authentication but no further user interaction, and it affects the confidentiality and integrity of user data. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and privileges required. No public exploits have been reported yet, but the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple contributors. The lack of available patches at the time of reporting necessitates immediate mitigation efforts by site administrators.
Potential Impact
The primary impact of CVE-2024-12818 is the potential compromise of user confidentiality and integrity on affected WordPress sites. Attackers with contributor-level access can inject malicious scripts that execute in the context of other users' browsers, enabling theft of session cookies, redirection to malicious sites, or unauthorized actions performed on behalf of victims. This can lead to account takeover, data leakage, and erosion of user trust. Since the vulnerability is stored XSS, the malicious payload persists on the site, increasing the attack surface and potential for widespread impact. Organizations relying on WP Smart TV for video content embedding face risks of reputational damage and regulatory consequences if user data is compromised. The medium CVSS score reflects that while exploitation requires some privileges, the attack can be performed remotely without user interaction, making it a notable threat to multi-user WordPress environments worldwide.
Mitigation Recommendations
To mitigate CVE-2024-12818, organizations should first restrict contributor-level permissions to trusted users only, minimizing the risk of malicious script injection. Administrators should monitor and audit content created via the 'tv-video-player' shortcode for suspicious code or unexpected behavior. Until an official patch is released, applying web application firewall (WAF) rules to detect and block common XSS payloads targeting this shortcode can reduce exposure. Employing Content Security Policy (CSP) headers can help limit the impact of injected scripts by restricting script sources. Site owners should also consider temporarily disabling or replacing the WP Smart TV plugin if feasible. Regular backups and incident response plans should be in place to recover from potential compromises. Finally, stay updated with vendor advisories for patches and apply them promptly once available.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-12-19T20:16:26.015Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6e48b7ef31ef0b59c4dc
Added to database: 2/25/2026, 9:48:56 PM
Last enriched: 2/26/2026, 2:57:41 AM
Last updated: 2/26/2026, 9:34:03 AM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-28138: Deserialization of Untrusted Data in Stylemix uListing
HighCVE-2026-28136: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in VeronaLabs WP SMS
HighCVE-2026-28132: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in villatheme WooCommerce Photo Reviews
HighCVE-2026-28131: Insertion of Sensitive Information Into Sent Data in WPVibes Elementor Addon Elements
HighCVE-2026-28083: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in UX-themes Flatsome
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.