CVE-2024-12716: 
WordPress vulnerability analysis and mitigation

The Simple Basic Contact Form WordPress plugin before version 20250114 contains a stored Cross-Site Scripting (XSS) vulnerability. This security issue affects the plugin's settings functionality, particularly in multisite setups where even administrators with restricted unfiltered_html capabilities could potentially exploit the vulnerability (WPScan, CVE Mitre).

The vulnerability stems from inadequate sanitization and escaping of certain plugin settings. The issue specifically affects the Error Field Attributes field in the Plugin Options section. When exploited, it allows the execution of JavaScript code through stored XSS attacks. The vulnerability has been assigned a CVSS score of 3.5 (low severity) (WPScan).

When successfully exploited, this vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks. This is particularly significant in multisite setups where the unfiltered_html capability is typically disallowed as a security measure (WPScan).

The vulnerability has been patched in version 20250114 of the Simple Basic Contact Form plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).