CVE-2024-12722: 
WordPress vulnerability analysis and mitigation

The Twitter Bootstrap Collapse aka Accordian Shortcode WordPress plugin through version 1.0 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered by Bob Matyas and was assigned CVE-2024-12722 on December 17, 2024. This security issue affects WordPress installations using the Twitter Bootstrap Collapse aka Accordian Shortcode plugin version 1.0 and below (WPScan).

The vulnerability stems from the plugin's failure to properly validate and escape shortcode attributes before outputting them back in pages or posts where the shortcode is embedded. The vulnerability has been assigned a CVSS v3.1 score of 5.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The issue is specifically related to insufficient input validation and sanitization of shortcode parameters (NVD, WPScan).

When successfully exploited, this vulnerability allows authenticated users with contributor role or higher privileges to perform Stored Cross-Site Scripting attacks. The stored XSS payload remains persistent in the database and can affect any user viewing the compromised page or post (Wiz).

Currently, there is no known fix available for this vulnerability. Users of the Twitter Bootstrap Collapse aka Accordian Shortcode WordPress plugin should consider either removing the plugin or implementing additional security controls to restrict access to shortcode functionality (Wiz).