CVE-2024-12423: 
WordPress vulnerability analysis and mitigation

The Contact Form 7 Redirect & Thank You Page plugin for WordPress contains a Reflected Cross-Site Scripting vulnerability (CVE-2024-12423) that affects all versions up to and including 1.0.7. The vulnerability was discovered on January 14, 2025, and publicly disclosed on January 15, 2025 (WPScan, NVD).

The vulnerability exists due to insufficient input sanitization and output escaping of the 'post' parameter in the plugin. This security flaw has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating a network-accessible vulnerability requiring user interaction (Wordfence).

If successfully exploited, this vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when users perform specific actions, such as clicking on a malicious link. The impact is limited to client-side attacks that could potentially lead to data theft or session hijacking (NVD).

The vulnerability has been patched in version 1.0.8 of the Contact Form 7 Redirect & Thank You Page plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).