CVE-2024-12271

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the 360 Javascript Viewer plugin for WordPress (all versions up to and including 1.7.29). The issue resides in the parse method of class-jsv-360-parser.php (see [1] and [2]) where the ref parameter is insufficiently sanitized and escaped. This allows authenticated attackers with administrator-level access to inject arbitrary web scripts. The vulnerability only affects multi-site installations or configurations where the unfiltered_html capability has been disabled.

Exploitation

To exploit this vulnerability, an attacker must be authenticated as a WordPress administrator on a multisite installation or on a site where unfiltered_html is disabled. The attacker can inject a malicious script via the ref parameter when creating or editing a post or page using the plugin's shortcode. When any user accesses the injected page, the script executes in the context of the victim's browser.

Impact

Successful exploitation leads to stored cross-site scripting, allowing the attacker to execute arbitrary HTML and JavaScript code. This can result in session hijacking, cookie theft, redirection to malicious sites, or other client-side attacks. The script runs in the context of the affected WordPress site, potentially compromising admin-level actions if executed in an admin session.

Mitigation

As of the publication date (2024-12-12), no patched version has been released. The vendor has not disclosed a fix. Until a patch is available, administrators should restrict admin access to trusted users only, disable the plugin on non-multisite installations, or enable unfiltered_html if appropriate (though this may introduce other risks). Monitoring for updates is strongly recommended.