CVE-2024-12723 – This vulnerability in the Infility Global WordP... (How to Fix)

Q: What is the severity of CVE-2024-12723?

CVE-2024-12723 has a CVSS score of 6.1 (MEDIUM). This vulnerability in the Infility Global WordPress plugin allows attackers to inject malicious scripts via unsanitized parameters, which execute when viewed by administrators or other high-privilege users. It affects WordPress sites using Infility Global plugin versions up to 2.9.8. Attackers can exploit this to steal session cookies, redirect users, or perform actions as the victim.

📋 TL;DR

This vulnerability in the Infility Global WordPress plugin allows attackers to inject malicious scripts via unsanitized parameters, which execute when viewed by administrators or other high-privilege users. It affects WordPress sites using Infility Global plugin versions up to 2.9.8. Attackers can exploit this to steal session cookies, redirect users, or perform actions as the victim.

💻 Affected Systems

Products:

Infility Global WordPress Plugin

Versions: through 2.9.8

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: All WordPress installations using vulnerable plugin versions are affected regardless of configuration.

📦 What is this software?

Infility Global by Infility

View all CVEs affecting Infility Global →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrator account compromise leading to full site takeover, data theft, malware injection, or complete defacement.

🟠

Likely Case

Session hijacking of admin users, credential theft, or unauthorized actions performed with admin privileges.

🟢

If Mitigated

Limited impact if proper input validation and output escaping are implemented, or if admin users have script blockers.

🌐 Internet-Facing: HIGH - WordPress sites are typically internet-facing, and reflected XSS can be exploited via crafted links.

🏢 Internal Only: LOW - This vulnerability requires user interaction with malicious links, making internal-only networks less susceptible unless attackers have internal access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires tricking a high-privilege user into clicking a malicious link. No authentication needed to craft the exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.9.9 or later

Vendor Advisory: https://wpscan.com/vulnerability/d9053b8b-c05c-42fd-913e-f85c799df807/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Infility Global plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download latest version from WordPress repository and manually update.

🔧 Temporary Workarounds

Input Validation Filter

all

Add custom PHP filter to sanitize the vulnerable parameter before processing.

Add to theme's functions.php or custom plugin: add_filter('preprocess_infility_param', 'esc_attr');

Disable Plugin

all

Temporarily disable the Infility Global plugin until patched.

Navigate to WordPress admin > Plugins > Installed Plugins, find Infility Global, click Deactivate.

🧯 If You Can't Patch

Implement Web Application Firewall (WAF) rules to block XSS payloads in the vulnerable parameter.
Educate administrators to avoid clicking untrusted links and use browser extensions that block reflected XSS.

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin > Plugins > Installed Plugins. If Infility Global version is 2.9.8 or lower, it's vulnerable.

Check Version:

wp plugin list --name="Infility Global" --field=version (if WP-CLI installed)

Verify Fix Applied:

Confirm plugin version is 2.9.9 or higher after update. Test parameter injection with safe payload like <script>alert('test')</script> to ensure it's sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual GET/POST requests containing script tags or JavaScript in parameters related to Infility Global plugin.

Network Indicators:

HTTP requests with suspicious parameters like ?parameter=<script>alert()</script> targeting WordPress site.

SIEM Query:

source="web_logs" AND (url="*infility*" AND (param="*<script>*" OR param="*javascript:*"))

📊 Metadata

CVE ID: CVE-2024-12723

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.08% exploit probability (22.9th percentile)

Published: January 28, 2025

Last Updated: May 24, 2025

🔗 References

https://wpscan.com/vulnerability/d9053b8b-c05c-42fd-913e-f85c799df807/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12723, you might also want to check these: