CVE-2024-12598: 
WordPress vulnerability analysis and mitigation

The MyBookProgress plugin by Stormhill Media for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-12598) that affects versions up to and including 1.0.8. The vulnerability was discovered and disclosed on January 16, 2025 (NVD, Wordfence).

The vulnerability stems from insufficient input sanitization and output escaping of the 'book' parameter in the plugin. It has been assigned a CVSS v3.1 base score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) (NVD).

This vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the affected pages, potentially leading to unauthorized access to sensitive information or manipulation of user sessions (NVD).

The plugin has been temporarily closed as of January 16, 2025, pending a full security review. Users are advised to consider removing or disabling the plugin until a patched version becomes available (WordPress Plugin).