CVE-2024-12725: 
WordPress vulnerability analysis and mitigation

The Clasify Classified Listing WordPress plugin through version 1.0.7 contains a Reflected Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-12725. The vulnerability was discovered and publicly disclosed on December 7, 2024, by security researcher Hassan Khan Yusufzai. This security issue affects the WordPress plugin's admin panel functionality and poses a risk specifically to high-privilege users such as administrators (WPScan).

The vulnerability stems from the plugin's failure to properly sanitize and escape a parameter before outputting it back in the page. It has been classified as CWE-79 (Cross-Site Scripting) and received a CVSS v3.1 score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability can be exploited through the admin panel using a specific path: /wp-admin/edit.php?posttype=clcpt&page=cl-payment-history&wphttp_referer=1&">alert(1)=1 (WPScan, Wiz).

When successfully exploited, this vulnerability allows an attacker to execute arbitrary JavaScript code in the context of the targeted user's browser session. The impact is particularly significant as it affects high-privilege users such as administrators, potentially compromising the security of the WordPress installation (Wiz).

Currently, there is no known fix available for this vulnerability. Users of the Clasify Classified Listing plugin version 1.0.7 or earlier should consider implementing additional security measures or temporarily disabling the plugin until a patch is released (Wiz).