Cyber Resilience

CVE-2024-12708

HighPublic PoC

Published: 30 January 2025

Published
30 January 2025
Modified
11 May 2025
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0010 26.6th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12708 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Ombu Bulk Me Now\!. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 26.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2024-12708 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting the Bulk Me Now! WordPress plugin through version 2.0. The flaw arises because the plugin fails to properly validate and escape certain shortcode attributes before outputting them in pages or posts where the shortcode is embedded. It has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) and was published on 2025-01-30.

Users with the contributor role or higher in WordPress can exploit this vulnerability by injecting malicious payloads into shortcode attributes within pages or posts they create or edit. When other users, including administrators, view the affected page or post, the unescaped output executes the injected script in their browsers, potentially leading to session hijacking, data theft, or further site compromise.

Advisories from WPScan detail the issue and recommend updating to a patched version of the plugin where available; practitioners should review the referenced WPScan vulnerability pages for specific mitigation steps and verification guidance.

EU & UK References

Vulnerability details

The Bulk Me Now! WordPress plugin through 2.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above…

more

to perform Stored Cross-Site Scripting attacks.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Why these techniques?

Stored XSS enables script injection leading to browser session hijacking and web session cookie theft when pages are viewed by other users.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-12638Same product: Ombu Bulk Me Now\!
CVE-2026-32277Shared CWE-79
CVE-2026-35035Shared CWE-79
CVE-2026-46367Shared CWE-79
CVE-2025-25102Shared CWE-79
CVE-2025-26918Shared CWE-79
CVE-2025-67923Shared CWE-79
CVE-2026-27655Shared CWE-79
CVE-2026-30919Shared CWE-79
CVE-2025-23883Shared CWE-79

Affected Assets

ombu
bulk me now\!
≤ 2.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the plugin's failure to validate shortcode attributes, preventing injection of malicious XSS payloads.

prevent

Directly mitigates the lack of escaping of shortcode attributes before output, neutralizing XSS in rendered pages or posts.

prevent

Requires prompt flaw remediation by patching the vulnerable Bulk Me Now! plugin to eliminate the stored XSS vulnerability.

References