CVE-2024-12339: 
WordPress vulnerability analysis and mitigation

The Digihood HTML Sitemap plugin for WordPress contains a Reflected Cross-Site Scripting vulnerability (CVE-2024-12339) that affects all versions up to and including 3.1.1. The vulnerability was discovered and reported by Wordfence, with public disclosure on February 19, 2025 (NVD).

The vulnerability exists due to insufficient input sanitization and output escaping of the 'channel' parameter in the plugin. This security flaw has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating a network-accessible vulnerability requiring user interaction (NVD).

If successfully exploited, this vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when users perform specific actions, such as clicking on a malicious link. The successful exploitation could lead to theft of sensitive information or manipulation of user sessions (NVD).

Website administrators running the Digihood HTML Sitemap plugin should update to a version newer than 3.1.1 if available. If an update is not available, consider disabling the plugin until a patch is released (NVD).