CVE-2024-12598
No known patch is available for this vulnerability.
The affected plugin has been removed from the WordPress.org directory (reason: Security Issue), and no patched version is being distributed through the official directory. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.
Description
The MyBookProgress plugin (≤1.0.8) stores unsanitized input via the ‘book’ parameter, allowing Contributor+ users to inject arbitrary scripts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The MyBookProgress plugin (≤1.0.8) stores unsanitized input via the ‘book’ parameter, allowing Contributor+ users to inject arbitrary scripts.
Vulnerability
The MyBookProgress by Stormhill Media plugin for WordPress, all versions up to and including 1.0.8, is vulnerable to Stored Cross-Site Scripting (XSS) due to insufficient input sanitization and output escaping of the ‘book’ parameter [description]. This flaw allows authenticated attackers with at least Contributor-level access to inject arbitrary web scripts that are stored on the server and later executed in the browsers of users visiting affected pages. The plugin has been closed and removed from the WordPress.org plugin directory as of January 16, 2025, citing a security issue [1].
Exploitation
An attacker must have a WordPress account with Contributor-level access or higher to exploit the vulnerability. The attacker crafts a payload containing malicious JavaScript and supplies it via the ‘book’ parameter when submitting a book progress entry. The payload is stored in the database without proper sanitization. When any user (including administrators or site visitors) views the page that displays the book data, the injected script executes in their browser, enabling the attacker's code to run within the security context of the victim's session [description]. Since the plugin is no longer maintained, exploitation remains possible on active installations.
Impact
Successful exploitation leads to Stored Cross-Site Scripting (XSS), allowing the attacker to execute arbitrary JavaScript in the browser of any user who accesses the compromised page. This can result in session hijacking, credential theft, defacement, redirection to malicious sites, or further privilege escalation within the WordPress instance. The attacker’s scope is limited to the browser environment, but the stored nature means persistent compromise of the affected pages [description].
Mitigation
The plugin has been closed and removed from the official WordPress.org plugin directory as of January 16, 2025, with no patched version distributed [1]. No official workaround or patch has been published by the vendor. Users running this plugin should uninstall it immediately. There is no indication that CVE-2024-12598 is listed in the CISA Known Exploited Vulnerabilities catalog as of the publication date. The only effective mitigation is to remove the plugin and review any stored book data for malicious content.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=1.0.8
Patches
0mybookprogressThis plugin has been removed from the WordPress.org directory on 2025-01-16 (reason: Security Issue). No patched version is being distributed through the official directory. Users who have it installed should uninstall it.
Source: api.wordpress.org · directory page
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.