CVE-2024-12921 is a stored cross-site scripting vulnerability identified in the EthereumICO plugin for WordPress, which is widely used to integrate Ethereum ICO functionalities into WordPress sites. The vulnerability exists due to insufficient sanitization and escaping of user-supplied input in the ethereum-ico shortcode attributes. This flaw allows authenticated users with contributor-level access or higher to inject arbitrary JavaScript code into pages generated by the plugin. When other users access these pages, the injected scripts execute in their browsers, potentially enabling session hijacking, unauthorized actions, or redirection to malicious sites. The vulnerability affects all versions up to and including 2.4.6. Exploitation does not require user interaction but does require authenticated access, limiting the attack surface to users with some level of privilege on the WordPress site. The CVSS 3.1 score is 6.4, indicating a medium severity with network attack vector, low attack complexity, and privileges required. The scope is changed due to the potential impact on other users viewing the injected content. No public exploits have been reported yet, but the vulnerability poses a significant risk to sites using this plugin, especially those with multiple contributors or editors. The lack of a patch at the time of reporting necessitates immediate mitigation efforts by administrators.

The primary impact of this vulnerability is the compromise of confidentiality and integrity for users interacting with affected WordPress sites. Attackers can execute arbitrary scripts in the context of the victim’s browser, potentially stealing session cookies, credentials, or performing actions on behalf of the victim. This can lead to account takeover, unauthorized content modification, or phishing attacks. Since the vulnerability requires authenticated access, the risk is higher in environments with multiple contributors or editors. The availability of the site is not directly impacted. Organizations relying on the EthereumICO plugin for managing ICO-related content or Ethereum transactions risk reputational damage and user trust loss if exploited. Additionally, attackers could leverage this vulnerability as a foothold for further attacks within the network or to spread malware. The medium severity rating reflects the moderate ease of exploitation combined with the significant impact on user data and site integrity.

Administrators should immediately restrict contributor-level and higher user privileges to trusted individuals only, minimizing the risk of malicious script injection. Until an official patch is released, consider disabling the EthereumICO plugin or removing the ethereum-ico shortcode usage from all pages. Implement a Web Application Firewall (WAF) with rules to detect and block suspicious script injections targeting shortcode attributes. Conduct thorough input validation and output encoding on all user-supplied data within the plugin if custom modifications are possible. Monitor logs for unusual activity from contributors or editors. Educate users about the risks of XSS and encourage strong authentication practices, including multi-factor authentication, to reduce the risk of compromised accounts. Once a patch is available, apply it promptly and verify that the vulnerability is remediated. Regularly update WordPress and all plugins to their latest versions to minimize exposure to known vulnerabilities.