CVE-2024-12323: 
WordPress vulnerability analysis and mitigation

The turboSMTP plugin for WordPress contains a Reflected Cross-Site Scripting vulnerability (CVE-2024-12323) that affects all versions up to and including 4.6. The vulnerability was disclosed on December 10, 2024, and received a CVSS v3.1 base score of 6.1 (Medium) (NVD).

The vulnerability exists due to insufficient input sanitization and output escaping in the 'page' parameter. It has been classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability has received a CVSS v3.1 vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility, low attack complexity, no privileges required, and user interaction required (NVD, Wordfence).

If successfully exploited, this vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when users perform specific actions while logged into turboSMTP. This could lead to the compromise of user sessions and potential access to sensitive information (NVD).

Users should upgrade their turboSMTP WordPress plugin to a version newer than 4.6 when available. The vulnerability has been identified in the source code at turbo-stats-section.php (WordPress Plugin).