CVE-2024-12680: 
WordPress vulnerability analysis and mitigation

The Prisna GWT WordPress plugin before version 1.4.14 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and publicly disclosed on November 25, 2024, and was assigned CVE-2024-12680. This security issue affects the plugin's settings functionality and impacts WordPress installations using the Prisna GWT plugin (WPScan, NVD).

The vulnerability stems from improper sanitization and escaping of certain settings within the plugin. The issue specifically affects the template fields in the Advanced tab of the plugin's settings. The vulnerability has been assigned a CVSS score of 3.5 (low severity) and is classified under CWE-79 (Cross-Site Scripting). The vulnerability can be exploited even when the unfiltered_html capability is disallowed, which is particularly relevant in multisite WordPress setups (WPScan).

When successfully exploited, this vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks. This could potentially lead to client-side code execution in the context of other users' browsers who access the affected pages (WPScan).

The vulnerability has been patched in version 1.4.14 of the Prisna GWT plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).