CVE-2024-12275: 
WordPress vulnerability analysis and mitigation

The Canvasflow for WordPress plugin through version 1.5.5 contains a Reflected Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and disclosed on January 10, 2025, and was assigned CVE-2024-12275. The issue affects the plugin's admin interface and could potentially be exploited against high-privilege users such as administrators (WPScan).

The vulnerability exists because the plugin fails to properly sanitize and escape a parameter before outputting it back in the page. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The issue is classified under CWE-79 (Cross-Site Scripting) (NVD).

This vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of a high-privilege user's browser session. Since the vulnerability affects admin users, successful exploitation could potentially lead to administrative account compromise (WPScan).

Currently, there is no known fix available for this vulnerability. Site administrators running affected versions of the Canvasflow plugin should consider either removing the plugin or implementing additional security controls to restrict access to the affected admin pages (WPScan).