CVE-2024-13122: 
WordPress vulnerability analysis and mitigation

The AFI WordPress plugin before version 1.100.0 contains a stored Cross-Site Scripting (XSS) vulnerability. The issue stems from improper sanitization and escaping of settings, which affects high-privilege users such as administrators, particularly in multisite setups where the unfiltered_html capability is disallowed. The vulnerability was discovered and publicly disclosed on March 3, 2025 (WPScan).

The vulnerability is classified as a Stored Cross-Site Scripting (CWE-79) issue. It has been assigned a CVSS v3.1 score of 3.5 (Low) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N. The vulnerability specifically affects the settings functionality within the plugin, particularly in the Academy LMS integration section (WPScan).

When exploited, this vulnerability allows high-privilege users to perform Stored Cross-Site Scripting attacks. The impact is particularly notable in multisite WordPress installations where the unfiltered_html capability is typically restricted, yet the vulnerability bypasses these restrictions (NVD).

The vulnerability has been patched in version 1.100.0 of the AFI WordPress plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).