CVE-2024-9125: 
WordPress vulnerability analysis and mitigation

The king_IE plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-9125) discovered in all versions up to and including 1.0. The vulnerability was disclosed on September 26, 2024, affecting the WordPress plugin developed by mohsensd1373. The plugin has been closed due to this security issue (WordPress Plugin).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue (CWE-79) that occurs via SVG File uploads due to insufficient input sanitization and output escaping. The vulnerability has received a CVSS v3.1 base score of 5.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N from NVD, while Wordfence assessed it with a score of 6.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD Database).

When successfully exploited, this vulnerability allows authenticated attackers with Author-level access and above to inject arbitrary web scripts in pages. These malicious scripts will execute whenever a user accesses the SVG file, potentially compromising the security of site visitors (NVD Database).

The WordPress plugin directory has closed the plugin as of September 25, 2024, due to this security issue. Users should immediately remove the plugin from their WordPress installations (WordPress Plugin).