CVE-2024-12301: 
WordPress vulnerability analysis and mitigation

The JSP Store Locator WordPress plugin through version 1.0 contains a Cross-Site Request Forgery (CSRF) vulnerability, identified as CVE-2024-12301. The vulnerability was discovered and publicly disclosed on November 10, 2024, affecting all versions of the JSP Store Locator plugin up to and including version 1.0 (WPScan).

The vulnerability stems from the absence of CSRF protection mechanisms in certain plugin functionalities. The issue has been assigned a CVSS v3.1 score of 6.5 (medium severity) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N. The vulnerability is classified under CWE-352. A proof of concept demonstrates that the vulnerability can be exploited through specific admin panel URLs, such as accessing the store management interface with deletion parameters (NVD, WPScan).

When exploited, this vulnerability allows attackers to trick authenticated users into performing unwanted actions within the plugin's functionality without their knowledge or consent. The primary impact is the potential for unauthorized modifications or deletions of store locations within the plugin's database (Wiz).

Currently, there is no known fix available for this vulnerability. Users of the JSP Store Locator plugin should consider implementing additional security measures or evaluating alternative solutions until a patch is released (Wiz).