CVE-2024-12506
Description
The NACC WordPress Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'nacc' shortcode in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The NACC WordPress Plugin versions <= 4.1.0 contain a stored XSS via the 'nacc' shortcode, allowing contributor-level attackers to inject arbitrary web scripts.
Vulnerability
The NACC WordPress Plugin up to and including version 4.1.0 is vulnerable to Stored Cross-Site Scripting (XSS) through the nacc shortcode. The plugin fails to properly sanitize user-supplied attributes and escape output before rendering shortcode parameters such as Theme, Language, Layout, and Show Special Keytags [1][2][3][4]. This allows malicious script injection into pages that use the shortcode.
Exploitation
An attacker must have at least Contributor-level access to a WordPress site running the vulnerable plugin. By inserting the nacc shortcode with crafted attribute values (e.g., [nacc Theme=""]), the payload is stored in the page content. When any user, including administrators, views the affected page, the injected script executes in their browser. No additional user interaction beyond page access is required.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to theft of sensitive information (e.g., cookies, session tokens), defacement of the site, or redirection to malicious domains. The attack is persistent, affecting all subsequent visitors to the page.
Mitigation
As of the publication date (2024-12-20), no patched version has been released. The vendor has not provided an official update or workaround. Site administrators should disable or remove the plugin until a fix is available, and restrict contributor-level access to trusted users only. The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.
- https://plugins.trac.wordpress.org/browser/nacc-wordpress-plugin/tags/4.1.0/nacc-wordpress-plugin.php#L68
- https://plugins.trac.wordpress.org/browser/nacc-wordpress-plugin/tags/4.1.0/nacc-wordpress-plugin.php#L98
- https://plugins.trac.wordpress.org/browser/nacc-wordpress-plugin/tags/4.1.0/nacc-wordpress-plugin.php#L85
- https://plugins.trac.wordpress.org/browser/nacc-wordpress-plugin/tags/4.1.0/nacc-wordpress-plugin.php#L135
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=4.1.0
- Range: <=4.1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- plugins.trac.wordpress.org/browser/nacc-wordpress-plugin/tags/4.1.0/nacc-wordpress-plugin.phpnvd
- plugins.trac.wordpress.org/browser/nacc-wordpress-plugin/tags/4.1.0/nacc-wordpress-plugin.phpnvd
- plugins.trac.wordpress.org/browser/nacc-wordpress-plugin/tags/4.1.0/nacc-wordpress-plugin.phpnvd
- plugins.trac.wordpress.org/browser/nacc-wordpress-plugin/tags/4.1.0/nacc-wordpress-plugin.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/d992b9dd-dfd1-497c-b09f-cca02dc87e34nvd
News mentions
0No linked articles in our index yet.