Stored Cross-Site Scripting Vulnerability in IP Based Login Plugin for WordPress
CVE-2024-12800
Key Information:
- Vendor
WordPress
- Status
- Vendor
- CVE Published:
- 15 May 2025
Badges
What is CVE-2024-12800?
The IP Based Login WordPress plugin prior to version 2.4.1 lacks proper input sanitization during the import process. This oversight can be exploited by high privilege users, such as administrators, to conduct Stored Cross-Site Scripting attacks. This vulnerability poses a significant risk, especially in multisite configurations where the unfiltered_html capability is restricted. Attackers can inject malicious scripts that may lead to unauthorized actions or data disclosure.
Affected Version(s)
IP Based Login 0 < 2.4.1
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V3.1
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved