Reflected Cross-Site Scripting Vulnerability in Infility Global WordPress Plugin by Infility
CVE-2024-12723

6.1MEDIUM

Key Information:

Vendor: WordPress
Status: Infility Global
Vendor: CVE Published:; 28 January 2025

Badges

👾 Exploit Exists🟡 Public PoC

Summary

The Infility Global WordPress plugin is vulnerable to reflected cross-site scripting, primarily due to insufficient sanitization of user input. This vulnerability allows an attacker to craft malicious URLs that, when accessed by a user, can execute scripts in the context of the website. The impact is particularly significant for high-privilege users, including administrators, who may unknowingly be exposed to these scripts. It is essential for users of the Infility Global plugin to update to the latest version to mitigate potential risks associated with this vulnerability.

Affected Version(s)

Infility Global 0 <= 2.9.8

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-12723 - Proof of Concept

References

https://wpscan.com/vulnerability/d9053b8b-c05c-42fd-913e-...

exploitvdb-entrytechnical-description

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

🟡
Public PoC available
Jan 28, 2025
👾
Exploit known to exist
Jan 28, 2025
Vulnerability published
Jan 28, 2025
Vulnerability Reserved
Dec 17, 2024

Credit

Hassan Khan Yusufzai - Splint3r7

WPScan