CVE-2024-12626: 
WordPress vulnerability analysis and mitigation

The AutomatorWP plugin for WordPress (versions up to 5.0.9) contains a Reflected Cross-Site Scripting vulnerability identified as CVE-2024-12626. The vulnerability exists in the 'a-0-o-searchfieldvalue' parameter due to insufficient input sanitization and output escaping. This security issue was disclosed on December 19, 2024 (NVD).

The vulnerability is classified as a Reflected Cross-Site Scripting (XSS) issue, categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation). The severity is rated as CRITICAL with a CVSS v3.1 base score of 9.6 (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). The vulnerability stems from improper input validation and output escaping in the plugin's handling of the 'a-0-o-searchfieldvalue' parameter (NVD).

When exploited, this vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when users perform specific actions, such as clicking on a malicious link. More critically, when combined with the plugin's import and code action feature, the vulnerability can be leveraged to execute arbitrary code (NVD).

Users should update their AutomatorWP plugin to a version newer than 5.0.9 to address this vulnerability. The fix has been implemented in subsequent versions to properly sanitize and escape the affected parameter (NVD).