CVE-2024-12680: 
WordPress vulnerability analysis and mitigation

The Prisna GWT WordPress plugin before version 1.4.14 contains a stored Cross-Site Scripting (XSS) vulnerability, discovered and publicly disclosed on November 25, 2024. The vulnerability affects the plugin's settings functionality and impacts WordPress installations using the Prisna GWT plugin. The issue has been assigned CVE-2024-12680 and received a CVSS score of 4.8 (MEDIUM) (WPScan, NVD).

The vulnerability stems from improper sanitization and escaping of certain settings within the plugin, specifically affecting the template fields in the Advanced tab of the plugin's settings. The issue has been classified under CWE-79 (Cross-Site Scripting) and can be exploited even when the unfiltered_html capability is disallowed, which is particularly relevant in multisite WordPress setups. The vulnerability has been assigned a CVSS v3.1 score of 4.8 with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (WPScan, Wiz).

When successfully exploited, this vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks. This could potentially lead to client-side code execution in the context of other users' browsers who access the affected pages (WPScan).

The vulnerability has been patched in version 1.4.14 of the Prisna GWT plugin. Users are strongly advised to update to this version or later to mitigate the security risk (WPScan).