CVE-2024-12288: 
WordPress vulnerability analysis and mitigation

The Simple add pages or posts plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability affecting all versions up to and including 2.0.0. The vulnerability was discovered and disclosed on January 7, 2025, and has been assigned identifier CVE-2024-12288. The plugin has been closed on December 30, 2024 due to this security issue (NVD).

The vulnerability stems from missing or incorrect nonce validation in the plugin's functionality. This security weakness has been assigned a CVSS v3.1 Base Score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-352: Cross-Site Request Forgery (NVD).

When exploited, this vulnerability allows unauthenticated attackers to update settings and inject malicious web scripts through forged requests. The attack requires user interaction, specifically tricking a site administrator into performing actions such as clicking on a malicious link (NVD).

As the plugin has been closed due to this security issue, the primary mitigation is to uninstall the Simple add pages or posts plugin and find an alternative solution. Site administrators should review their WordPress installations and remove this plugin if it is present (WordPress Plugin).