CVE-2024-12768: 
WordPress vulnerability analysis and mitigation

The Responsive iframe WordPress plugin through version 1.2.0 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and disclosed on January 10, 2025, affecting the plugin's block options functionality. The issue stems from insufficient validation and escaping of block options before they are output back in pages or posts where the block is embedded (WPScan).

The vulnerability is classified as a Stored Cross-Site Scripting (CWE-79) issue. The CVSS score is rated at 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N. The technical issue lies in the plugin's failure to properly validate and escape block options before rendering them in the page/post content (WPScan).

The vulnerability allows users with contributor-level privileges or higher to perform Stored Cross-Site Scripting attacks. When successfully exploited, this could lead to the execution of malicious JavaScript code in the context of other users' browsers who view the affected pages (WPScan).

Currently, there is no known fix available for this vulnerability. Users are advised to consider implementing additional security measures or restricting access to the plugin's functionality until a patch is released (WPScan).