CVE-2024-12491: 
WordPress vulnerability analysis and mitigation

The SimplyRETS Real Estate IDX plugin for WordPress (versions up to 2.11.2) contains a Stored Cross-Site Scripting vulnerability (CVE-2024-12491). The vulnerability exists in the plugin's 'srsearchform' shortcode due to insufficient input sanitization and output escaping on user-supplied attributes. The issue was discovered and disclosed on January 9, 2025 (NVD).

The vulnerability is classified as a Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 Base Score of 6.4 (Medium). The attack vector is network-based (AV:N), requires low attack complexity (AC:L), low privileges (PR:L), no user interaction (UI:N), and has a changed scope (S:C) with low confidentiality (C:L) and integrity (I:L) impacts, but no availability impact (A:N) (NVD, Wordfence).

The vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page (NVD).

Users should update their SimplyRETS Real Estate IDX plugin to a version newer than 2.11.2 when available (WordPress Plugin).