CVE-2024-12321

CVE-2024-12321 is a reflected cross-site scripting (XSS) vulnerability, classified under CWE-79, in the WC Affiliate WordPress plugin through version 2.3.9. The flaw arises because the plugin does not sanitize and escape a parameter before outputting it back in the page, enabling malicious script injection. It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), reflecting network accessibility, low attack complexity, no required privileges, user interaction dependency, and changed scope with low impacts across confidentiality, integrity, and availability.

Any unauthenticated remote attacker can exploit this vulnerability by crafting a malicious URL or payload that includes the unsanitized parameter. The attack requires tricking a targeted high-privilege user, such as an admin, into visiting the malicious page via social engineering, such as phishing. Upon interaction, the injected script executes in the victim's browser context, potentially allowing session token theft, account takeover, or further site compromise leveraging the victim's elevated permissions.

Advisories detailing mitigation are available from WPScan at https://wpscan.com/vulnerability/d4c55d30-1c15-41ee-95e0-670891d67684/. Security practitioners should consult these references for patch availability, workaround guidance, and affected configurations.