CVE-2024-12524

CVSS 3.1 Score 6.4 of 10 (medium)

Details

Published Jan 30, 2025

CWE ID 79

Summary

CVE-2024-12524 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the Clinked Client Portal plugin for WordPress. This issue, present in all versions up to 1.9, allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts. By exploiting insufficient input sanitization and output escaping on user-supplied attributes within the 'clinked-login-button' shortcode, adversaries can execute their malicious code whenever a user accesses an injected page, potentially leading to unauthorized actions or data theft.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

https://app.recordedfuture.com/live/sc/entity/1e-8RW
https://www.cve.org/CVERecord?id=CVE-2024-12524
https://nvd.nist.gov/vuln/detail/CVE-2024-12524

Back to Vulnerability Database

CVE-2024-12524

CVSS 3.1 Score 6.4 of 10 (medium)

Details

Summary

Advisories, Assessments, and Mitigations