CVE-2024-12568: 
WordPress vulnerability analysis and mitigation

The Email Subscribers by Icegram Express WordPress plugin before version 5.7.45 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered by Dmitrii Ignatyev and publicly disclosed on December 23, 2024. The issue affects the plugin's Workflow settings functionality, specifically impacting installations where high-privilege users such as administrators operate in environments where the unfiltered_html capability is disallowed, such as in multisite setups (WPScan).

The vulnerability stems from improper sanitization and escaping of Workflow settings in the plugin. The issue has been assigned a CVSS 3.1 Base Score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Cross-Site Scripting) and falls under the OWASP Top 10 category A7: Cross-Site Scripting (XSS) (NVD, WPScan).

When exploited, this vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks. This is particularly significant in multisite setups where the unfiltered_html capability is typically disallowed for security reasons (WPScan).

Users are advised to update their Email Subscribers plugin to version 5.7.45 or later, which contains the fix for this vulnerability (WPScan).