CVE-2024-12724: 
WordPress vulnerability analysis and mitigation

The WP DeskLite WordPress plugin through version 1.0.0 contains a Reflected Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and publicly disclosed on December 13, 2024, and affects the plugin's parameter handling functionality. This security issue has been assigned CVE-2024-12724 and received a CVSS score of 6.1 (Medium) (NVD, WPScan).

The vulnerability stems from improper input validation where a parameter is not sanitized or escaped before being reflected back to the user in the page output. The issue has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. A proof of concept exploit involves accessing the URL path /wp-admin/edit.php?posttype=wpdlticket&">alert(1)=1">alert(1) which can trigger the XSS payload (WPScan).

The vulnerability could enable attackers to execute arbitrary JavaScript code in the context of high-privilege users' browsers, particularly targeting administrators. This could potentially lead to account compromise, unauthorized actions, or theft of sensitive information (Wiz).

Currently, there is no known fix available for this vulnerability in the WP DeskLite plugin. Users are advised to consider disabling the plugin until a security update is released (Wiz).