CVE-2024-13112: 
WordPress vulnerability analysis and mitigation

The WP MediaTagger WordPress plugin through version 4.1.1 contains a Reflected Cross-Site Scripting vulnerability (CVE-2024-13112). The vulnerability was discovered and reported by Hassan Khan Yusufzai (Splint3r7) and was publicly disclosed on January 10, 2025. The issue affects the plugin's parameter handling in the admin interface, which fails to properly sanitize and escape user input (WPScan).

The vulnerability exists due to improper sanitization and escaping of a parameter before it is output back in the page. This affects high-privilege users such as administrators. The vulnerability has been assigned a CVSS v3.1 vector of AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N and is classified as CWE-79: Cross-Site Scripting (NVD).

The vulnerability could allow attackers to execute arbitrary JavaScript code in the context of an administrator's browser session, potentially leading to unauthorized actions or data theft when an administrator visits a specially crafted URL (WPScan).

Currently, there is no known fix available for this vulnerability. Site administrators running affected versions of the WP MediaTagger plugin should consider either removing the plugin or implementing additional security controls until a patch is released (WPScan).