CVE-2024-12060: 
WordPress vulnerability analysis and mitigation

The WP Media Optimizer (.webp) plugin for WordPress contains a Reflected Cross-Site Scripting vulnerability (CVE-2024-12060) affecting all versions up to and including 1.4.0. The vulnerability was discovered and disclosed on December 5, 2024, impacting the plugin's handling of 'wpmowebp-css-resources' and 'wpmowebp-js-resources' parameters (NVD CVE).

The vulnerability stems from insufficient input sanitization and output escaping in the plugin's handling of specific parameters. It has been assigned a CVSS v3.1 Base Score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (Wordfence Intel).

If successfully exploited, this vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when users access affected pages. The impact is particularly concerning as it requires no authentication, though user interaction is necessary for successful exploitation (NVD CVE).

As of December 5, 2024, the plugin has been closed and is no longer available for download from the WordPress plugin repository due to this security issue (WordPress Plugin). Users are advised to remove the plugin from their WordPress installations until a patched version becomes available.