CVE-2024-12708
Published: 30 January 2025
Description
The Bulk Me Now! WordPress plugin through 2.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
Security Summary
CVE-2024-12708 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting the Bulk Me Now! WordPress plugin through version 2.0. The flaw arises because the plugin fails to properly validate and escape certain shortcode attributes before outputting them in pages or posts where the shortcode is embedded. It has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) and was published on 2025-01-30.
Users with the contributor role or higher in WordPress can exploit this vulnerability by injecting malicious payloads into shortcode attributes within pages or posts they create or edit. When other users, including administrators, view the affected page or post, the unescaped output executes the injected script in their browsers, potentially leading to session hijacking, data theft, or further site compromise.
Advisories from WPScan detail the issue and recommend updating to a patched version of the plugin where available; practitioners should review the referenced WPScan vulnerability pages for specific mitigation steps and verification guidance.
Details
- CWE(s)