CVE-2024-12708
Published: 30 January 2025
Summary
CVE-2024-12708 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Ombu Bulk Me Now\!. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 26.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2024-12708 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting the Bulk Me Now! WordPress plugin through version 2.0. The flaw arises because the plugin fails to properly validate and escape certain shortcode attributes before outputting them in pages or posts where the shortcode is embedded. It has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) and was published on 2025-01-30.
Users with the contributor role or higher in WordPress can exploit this vulnerability by injecting malicious payloads into shortcode attributes within pages or posts they create or edit. When other users, including administrators, view the affected page or post, the unescaped output executes the injected script in their browsers, potentially leading to session hijacking, data theft, or further site compromise.
Advisories from WPScan detail the issue and recommend updating to a patched version of the plugin where available; practitioners should review the referenced WPScan vulnerability pages for specific mitigation steps and verification guidance.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51063
Vulnerability details
The Bulk Me Now! WordPress plugin through 2.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above…
more
to perform Stored Cross-Site Scripting attacks.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS enables script injection leading to browser session hijacking and web session cookie theft when pages are viewed by other users.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the plugin's failure to validate shortcode attributes, preventing injection of malicious XSS payloads.
Directly mitigates the lack of escaping of shortcode attributes before output, neutralizing XSS in rendered pages or posts.
Requires prompt flaw remediation by patching the vulnerable Bulk Me Now! plugin to eliminate the stored XSS vulnerability.