CVE-2024-12724 – WP DeskLite WordPress plugin through version 1.... (How to Fix)

Q: What is the severity of CVE-2024-12724?

CVE-2024-12724 has a CVSS score of 6.1 (MEDIUM). WP DeskLite WordPress plugin through version 1.0.0 contains a reflected cross-site scripting (XSS) vulnerability where unsanitized user input is reflected back in page output. This allows attackers to execute malicious JavaScript in the context of authenticated users, particularly targeting high-privilege administrators. All WordPress sites using vulnerable versions of this plugin are affected.

📋 TL;DR

WP DeskLite WordPress plugin through version 1.0.0 contains a reflected cross-site scripting (XSS) vulnerability where unsanitized user input is reflected back in page output. This allows attackers to execute malicious JavaScript in the context of authenticated users, particularly targeting high-privilege administrators. All WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:

WP DeskLite WordPress Plugin

Versions: All versions through 1.0.0

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with WP DeskLite plugin enabled. The vulnerability is in parameter handling that reflects unsanitized input.

📦 What is this software?

Wp Desklite by Codeflock

View all CVEs affecting Wp Desklite →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, perform actions as administrators (install malicious plugins, modify content), or redirect users to malicious sites.

🟠

Likely Case

Attackers craft malicious links containing JavaScript payloads that execute when administrators click them, potentially leading to session hijacking or limited administrative actions.

🟢

If Mitigated

With proper input validation and output escaping, the malicious payload would be neutralized before execution, preventing any impact.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Reflected XSS vulnerabilities are commonly exploited via crafted URLs. No authentication is required to trigger the vulnerability, though targeting administrators requires them to visit malicious links.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.1 or later

Vendor Advisory: https://wpscan.com/vulnerability/9dd3ffaa-9020-47a6-bf9a-7e1412b9e9d5/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WP DeskLite plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download latest version from WordPress repository and replace plugin files.

🔧 Temporary Workarounds

Disable WP DeskLite Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate wp-desklite

Implement Web Application Firewall (WAF)

all

Configure WAF rules to block XSS payloads in URL parameters

🧯 If You Can't Patch

Disable WP DeskLite plugin completely
Implement strict Content Security Policy (CSP) headers to mitigate XSS impact

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for WP DeskLite version 1.0.0 or earlier

Check Version:

wp plugin get wp-desklite --field=version

Verify Fix Applied:

Verify WP DeskLite plugin version is 1.0.1 or later in WordPress admin

📡 Detection & Monitoring

Log Indicators:

Unusual long parameter values in WordPress access logs
JavaScript patterns in URL parameters

Network Indicators:

HTTP requests with JavaScript payloads in query parameters to WordPress endpoints

SIEM Query:

source="wordpress_access.log" AND (url="*<script*" OR url="*javascript:*" OR url="*onerror=*" OR url="*onload=*")

📊 Metadata

CVE ID: CVE-2024-12724

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.72% exploit probability (72.1th percentile)

Published: May 15, 2025

Last Updated: June 11, 2025

🔗 References

https://wpscan.com/vulnerability/9dd3ffaa-9020-47a6-bf9a-7e1412b9e9d5/ Exploit,Third Party Advisory
https://wpscan.com/vulnerability/9dd3ffaa-9020-47a6-bf9a-7e1412b9e9d5/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12724, you might also want to check these: