CVE-2024-12699: 
WordPress vulnerability analysis and mitigation

The Service Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 1.9. The vulnerability was discovered and disclosed on January 7, 2025. This security issue affects the Service Box WordPress plugin, which is used for creating content boxes with icons and hover effects (NVD).

The vulnerability stems from insufficient input sanitization and output escaping in the plugin's functionality. This security flaw allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the affected page. The vulnerability has been assigned a CVSS v3.1 base score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows attackers to inject and execute malicious web scripts that run in users' browsers when they visit the compromised pages. This can lead to potential data theft, session hijacking, or other client-side attacks against site visitors (NVD).

The vulnerability has been fixed in version 2.0 of the Service Box plugin. Users are strongly advised to update to this latest version to protect against potential attacks. The update specifically addresses the Cross-Site Scripting issues (WordPress Plugin).