CVE-2024-12122: 
WordPress vulnerability analysis and mitigation

The ResAds WordPress plugin, versions up to and including 2.0.6, contains a Reflected Cross-Site Scripting vulnerability (CVE-2024-12122). The vulnerability was disclosed on January 9, 2025, affecting all installations of the ResAds plugin up to version 2.0.6. The plugin has been closed and is no longer available for download due to this security issue (NVD, WordPress Plugin).

The vulnerability stems from insufficient input sanitization and output escaping in multiple parameters of the plugin. This security flaw has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

When exploited, this vulnerability allows unauthenticated attackers to inject arbitrary web scripts into pages. These injected scripts will execute if users can be tricked into performing specific actions, such as clicking on a malicious link (NVD).

As the plugin has been closed due to this security issue, the recommended mitigation is to immediately remove the ResAds plugin from WordPress installations. Website administrators should seek alternative advertisement management solutions that do not contain known security vulnerabilities (WordPress Plugin).