CVE-2024-13585: 
WordPress vulnerability analysis and mitigation

The vulnerability (CVE-2024-13585) affects the Ajax Search Lite WordPress plugin versions before 4.12.5. The issue was discovered by Dmitrii Ignatyev and was publicly disclosed on January 31, 2025. This security flaw exists in the plugin's settings functionality, where certain parameters are not properly sanitized and escaped (WPScan).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue, identified under CWE-79. It has received a CVSS v3.1 score of 3.5 (LOW) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N. The technical issue stems from inadequate sanitization and escaping of plugin settings, particularly affecting the 'Frontend Filters' section where the 'Categories filter box header text' can be manipulated (WPScan, NVD).

The vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks, even in environments where the unfiltered_html capability is explicitly disallowed, such as in multisite setups. This creates a potential security risk in WordPress installations using the affected plugin versions (WPScan).

The vulnerability has been patched in version 4.12.5 of the Ajax Search Lite WordPress plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).