CVE-2024-12290: 
WordPress vulnerability analysis and mitigation

The Infility Global plugin for WordPress contains a Reflected Cross-Site Scripting vulnerability (CVE-2024-12290) via the 'set_type' parameter in versions up to and including 2.9.8. The vulnerability was disclosed on January 7, 2025 and affects the WordPress plugin's functionality due to insufficient input sanitization and output escaping (NVD).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue, specifically of the reflected type, stemming from improper neutralization of input during web page generation (CWE-79). It has received a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility, low attack complexity, no privileges required, and user interaction required (NVD).

If successfully exploited, this vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when users perform specific actions, such as clicking on a malicious link. The impact is rated as low for both confidentiality and integrity, with no impact on availability (NVD).

Users should update the Infility Global plugin to a version newer than 2.9.8 when available. The vulnerability affects all versions up to and including 2.9.8 (NVD).