CVE-2024-12820 is a stored cross-site scripting vulnerability classified under CWE-79, affecting the MK Google Directions plugin for WordPress, maintained by manoj_rana91986. The vulnerability exists in all versions up to and including 3.1 due to improper neutralization of input during web page generation. Specifically, the plugin's 'MKGD' shortcode fails to adequately sanitize and escape user-supplied attributes, allowing authenticated users with contributor-level or higher permissions to inject arbitrary JavaScript code. This malicious code is stored persistently and executed in the browsers of any users who visit the compromised page, potentially leading to session hijacking, privilege escalation, or data theft. The vulnerability requires no user interaction beyond visiting the infected page but does require the attacker to have contributor-level access, which is a moderate privilege level in WordPress. The CVSS v3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) indicates that the attack can be launched remotely over the network with low complexity, requires privileges, no user interaction, and impacts confidentiality and integrity with a scope change. No patches or fixes are currently linked, and no known exploits have been reported in the wild. This vulnerability highlights the importance of secure coding practices in WordPress plugins, particularly regarding input validation and output encoding in shortcode implementations.

The impact of CVE-2024-12820 is significant for organizations running WordPress sites with the MK Google Directions plugin installed. An attacker with contributor-level access can inject persistent malicious scripts, which execute in the context of any user visiting the infected page. This can lead to session hijacking, theft of sensitive information such as cookies or authentication tokens, unauthorized actions performed on behalf of users, and potential privilege escalation. The confidentiality and integrity of user data are at risk, although availability is not directly impacted. Since contributor-level access is often granted to trusted users or external content creators, the threat surface is non-trivial. Exploitation could facilitate further attacks within the organization’s web environment or against its users. The vulnerability could also damage organizational reputation if exploited, especially for sites handling sensitive or personal data. Given the widespread use of WordPress globally, the potential scope of affected systems is large, increasing the risk of targeted attacks or automated exploitation once a public exploit emerges.

To mitigate CVE-2024-12820, organizations should first check if they are using the MK Google Directions plugin and identify the version installed. Since no official patch is currently linked, immediate mitigation includes restricting contributor-level access to trusted users only and auditing existing content for injected scripts. Administrators should implement Web Application Firewall (WAF) rules to detect and block suspicious shortcode attribute inputs or script payloads. Employing Content Security Policy (CSP) headers can reduce the impact of XSS by restricting script execution sources. Plugin developers or site maintainers should sanitize and escape all user-supplied inputs rigorously, especially in shortcode attributes, using WordPress’s built-in functions like esc_attr() and wp_kses(). Monitoring logs for unusual activity and educating contributors about secure content practices are also recommended. Finally, stay alert for official patches or updates from the plugin author and apply them promptly once available.