CVE-2024-12567: 
WordPress vulnerability analysis and mitigation

The Email Subscribers by Icegram Express WordPress plugin (versions before 5.7.45) was identified with a security vulnerability tracked as CVE-2024-12567. The vulnerability was discovered by Dmitrii Ignatyev and publicly disclosed on December 23, 2024. This security issue affects the form settings functionality of the plugin, potentially exposing WordPress installations to stored Cross-Site Scripting (XSS) attacks (WPScan).

The vulnerability stems from improper sanitization and escaping of form settings within the plugin. The issue received a CVSS 3.1 Base Score of 4.8 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. This indicates that the vulnerability requires high privileges and user interaction to exploit, with potential impacts on confidentiality and integrity (NVD).

When exploited, this vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks, even in environments where the unfiltered_html capability is explicitly disallowed, such as in multisite setups (WPScan).

The vulnerability has been patched in version 5.7.45 of the Email Subscribers plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).