CVE-2024-12400
Published: 30 January 2025
Summary
CVE-2024-12400 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Goodlayers Tour Master. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-12400 is a reflected cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting the Tourmaster WordPress plugin in versions before 5.3.5. The flaw occurs because the plugin does not properly escape generated URLs before outputting them in HTML attributes, allowing attackers to inject malicious scripts that execute in the context of a victim's browser.
An unauthenticated attacker (PR:N) can exploit this over the network (AV:N) with low attack complexity (AC:L), but it requires user interaction (UI:R), such as clicking a malicious link. Exploitation results in reflected XSS with a changed scope (S:C), enabling limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), for an overall CVSS v3.1 base score of 7.1. This could allow theft of session cookies or other client-side data.
WPScan advisories, referenced at https://wpscan.com/vulnerability/3542315c-93c3-41dd-a99e-02a38cfd58fb/, detail the issue and recommend updating the Tourmaster plugin to version 5.3.5 or later as the primary mitigation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-50825
Vulnerability details
The tourmaster WordPress plugin before 5.3.5 does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables exploitation via malicious links (T1204.001) and public app exploitation (T1190), with primary impact of stealing web session cookies (T1539).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires timely flaw remediation, directly addressing this CVE by updating the Tourmaster plugin to version 5.3.5 or later to fix the unescaped URL output.
SI-15 mandates filtering of information outputs prior to transmission, preventing reflected XSS by ensuring generated URLs are properly escaped in HTML attributes.
SI-10 enforces validation of inputs, helping to block malicious payloads that could be reflected as unescaped URLs leading to XSS.