CVE-2024-12189: 
WordPress vulnerability analysis and mitigation

The WDesignKit – Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-12189) affecting all versions up to and including 1.2.2. The vulnerability was discovered and disclosed on March 31, 2025, with public disclosure on April 1, 2025 (NVD).

The vulnerability stems from insufficient input sanitization and output escaping in the custom widgets functionality. It has been assigned a CVSS v3.1 base score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (NVD, Wordfence).

When exploited, this vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the affected page, potentially compromising user data and website security (NVD).

The vulnerability was patched in version 1.2.4, released on April 8, 2025. Users are strongly advised to update to this version or later to address the security issue. The update includes security patches specifically targeting the widget builder functionality (WordPress Plugin).