CVE-2024-12299 – The System Dashboard WordPress plugin contains ... (How to Fix)

Q: What is the severity of CVE-2024-12299?

CVE-2024-12299 has a CVSS score of 6.1 (MEDIUM). The System Dashboard WordPress plugin contains a reflected cross-site scripting (XSS) vulnerability in all versions up to 2.8.15. Unauthenticated attackers can inject malicious scripts via the Filename parameter, which execute when an administrator clicks a specially crafted link. This affects all WordPress sites using vulnerable versions of the plugin.

📋 TL;DR

The System Dashboard WordPress plugin contains a reflected cross-site scripting (XSS) vulnerability in all versions up to 2.8.15. Unauthenticated attackers can inject malicious scripts via the Filename parameter, which execute when an administrator clicks a specially crafted link. This affects all WordPress sites using vulnerable versions of the plugin.

💻 Affected Systems

Products:

System Dashboard WordPress Plugin

Versions: All versions up to and including 2.8.15

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the plugin activated. Attack requires administrator interaction.

📦 What is this software?

System Dashboard by Bowo

View all CVEs affecting System Dashboard →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrator account compromise leading to full site takeover, data theft, or malware distribution to visitors.

🟠

Likely Case

Session hijacking, credential theft, or unauthorized administrative actions through social engineering.

🟢

If Mitigated

Limited impact if administrators avoid suspicious links and use security plugins.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires social engineering to trick administrators into clicking malicious links.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.8.16 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3168486%40system-dashboard&new=3168486%40system-dashboard

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find System Dashboard plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 2.8.16+ from WordPress.org and manually update.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily deactivate the System Dashboard plugin until patched.

wp plugin deactivate system-dashboard

Web Application Firewall Rule

all

Block requests containing malicious script patterns in Filename parameter.

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to prevent script execution from untrusted sources.
Educate administrators about phishing risks and implement link validation procedures.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin > Plugins > System Dashboard for version number. If version is 2.8.15 or lower, you are vulnerable.

Check Version:

wp plugin get system-dashboard --field=version

Verify Fix Applied:

Confirm plugin version is 2.8.16 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

HTTP requests with suspicious script tags in Filename parameter
Unusual admin activity following suspicious link clicks

Network Indicators:

Outbound connections to unknown domains following admin link clicks
Suspicious referrer headers containing script payloads

SIEM Query:

web.url:*filename=*<script* OR web.url:*filename=*javascript:*

📊 Metadata

CVE ID: CVE-2024-12299

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.52% exploit probability (66.3th percentile)

Published: January 30, 2025

Last Updated: January 31, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12299, you might also want to check these: