CVE-2024-12072: 
WordPress vulnerability analysis and mitigation

The Analytics Cat – Google Analytics Made Easy plugin for WordPress contains a Reflected Cross-Site Scripting vulnerability (CVE-2024-12072) affecting all versions up to and including 1.1.2. The vulnerability was discovered and disclosed on December 12, 2024 (NVD).

The vulnerability stems from improper use of the add_query_arg function without appropriate URL escaping. This implementation flaw has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (NVD).

If successfully exploited, this vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute in users' browsers when they perform specific actions, such as clicking on specially crafted links. This could lead to theft of sensitive information or unauthorized actions performed in the context of the victim's browser session (NVD).

Users should update to a version newer than 1.1.2 if available. If an update is not possible, it is recommended to consider removing the plugin until a patch is available (NVD).