CVE-2024-13492: 
WordPress vulnerability analysis and mitigation

The Guten Free Options WordPress plugin through version 0.9.5 contains a Reflected Cross-Site Scripting (XSS) vulnerability identified as CVE-2024-13492. The vulnerability was discovered and publicly disclosed on January 17, 2025, by security researcher Hassan Khan Yusufzai (Splint3r7). This security flaw affects WordPress installations using the vulnerable plugin versions (WPScan).

The vulnerability stems from improper parameter handling where the plugin fails to sanitize and escape a parameter before outputting it back in the page. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified under CWE-79 (Cross-Site Scripting) and falls under the OWASP Top 10 category A7: Cross-Site Scripting (XSS) (WPScan, NVD).

The vulnerability could be exploited against high-privilege users such as administrators, potentially allowing attackers to execute malicious scripts in the context of the victim's browser session. This could lead to unauthorized access, data theft, or manipulation of the WordPress installation (WPScan).

Currently, there is no known fix available for this vulnerability. Users of the Guten Free Options WordPress plugin should consider implementing additional security measures or temporarily disabling the plugin until a patch is released (WPScan).