CVE-2024-12128: 
WordPress vulnerability analysis and mitigation

The Simple Ecommerce Shopping Cart Plugin for WordPress (versions up to 3.1.2) contains a Reflected Cross-Site Scripting vulnerability (CVE-2024-12128) discovered on December 7, 2024. The vulnerability exists in the 'monthly_sales_current_year' parameter due to insufficient input sanitization and output escaping. This plugin has been closed since December 6, 2024, due to this security issue (NVD, WordPress Plugin).

The vulnerability is classified as a Reflected Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 Base Score of 6.1 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when users perform specific actions, such as clicking on a malicious link (NVD).

When successfully exploited, this vulnerability allows attackers to inject and execute arbitrary web scripts in the context of targeted users' browsers. This can lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected users (NVD).

The plugin has been closed and is no longer available for download from the WordPress plugin repository as of December 6, 2024. Users should immediately remove this plugin from their WordPress installations and seek alternative e-commerce solutions (WordPress Plugin).