CVE-2024-12299: 
WordPress vulnerability analysis and mitigation

The System Dashboard plugin for WordPress contains a Reflected Cross-Site Scripting vulnerability (CVE-2024-12299) discovered in all versions up to and including 2.8.15. The vulnerability was disclosed on January 30, 2025, and affects the plugin's handling of the Filename parameter (NVD).

The vulnerability is classified as a Reflected Cross-Site Scripting (CWE-79) issue that stems from insufficient input sanitization and output escaping of the Filename parameter. The severity of this vulnerability has been assessed with a CVSS v3.1 Base Score of 6.1 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD, Wordfence).

The vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when administrative users perform specific actions, such as clicking on malicious links. This can lead to potential compromise of administrative user sessions and unauthorized actions being performed on the affected WordPress installation (NVD).

Users of the System Dashboard plugin should update to a version newer than 2.8.15 if available. Until an update is possible, administrators should exercise caution when clicking on links while logged into WordPress and consider implementing additional security measures such as Web Application Firewalls (NVD).