Login Sign Up

CVE-2024-12708

7.1 HIGH
Cross-Site Scripting

📋 TL;DR

The Bulk Me Now! WordPress plugin through version 2.0 has a stored cross-site scripting (XSS) vulnerability in its shortcode attributes. Users with contributor role or higher can inject malicious scripts that execute when pages containing the shortcode are viewed. This affects all WordPress sites using vulnerable versions of the plugin.

💻 Affected Systems

Products:
  • Bulk Me Now! WordPress plugin
Versions: All versions through 2.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress installation with plugin enabled and users with contributor role or higher.

📦 What is this software?

Bulk Me Now\! by Ombu

View all CVEs affecting Bulk Me Now\! →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers with contributor access could inject persistent malicious scripts that steal session cookies, redirect users to phishing sites, or perform actions as authenticated users when victims view affected pages.

🟠

Likely Case

Malicious contributors or compromised accounts inject tracking scripts, deface content, or steal limited user data through client-side attacks.

🟢

If Mitigated

With proper role-based access controls and content sanitization, impact is limited to minor content manipulation by authorized users.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires contributor-level access or higher. Exploitation involves injecting malicious scripts via shortcode attributes in posts/pages.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 2.0

Vendor Advisory: https://wpscan.com/vulnerability/8f30a37e-b9d0-467b-a0e3-20dc0a9f2b61/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Bulk Me Now! plugin. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and remove plugin.

🔧 Temporary Workarounds

Remove Contributor Shortcode Access

all

Restrict contributor role from using shortcodes or editing posts with shortcodes

Content Sanitization Filter

all

Implement output escaping for all shortcode attributes in theme or custom plugin

🧯 If You Can't Patch

  • Deactivate and remove the Bulk Me Now! plugin immediately
  • Implement strict role-based access controls and audit all users with contributor+ privileges

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin > Plugins > Installed Plugins for Bulk Me Now! version 2.0 or earlier

Check Version:

wp plugin list --name='bulk-me-now' --field=version

Verify Fix Applied:

Verify plugin version is greater than 2.0 after update

📡 Detection & Monitoring

Log Indicators:

  • Unusual post/page edits by contributors
  • Suspicious shortcode attributes in content

Network Indicators:

  • External script loads from post content
  • Unusual outbound connections from page views

SIEM Query:

source="wordpress" AND (event="post_updated" OR event="page_updated") AND user_role="contributor" AND content CONTAINS "[bulk_me_now"

📊 Metadata

CVE ID: CVE-2024-12708
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
CWE: CWE-79
EPSS Score: 0.1% exploit probability (28.2th percentile)
Published: January 30, 2025
Last Updated: May 11, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12708, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)