CVE-2024-10552: 
WordPress vulnerability analysis and mitigation

The Flexmls® IDX Plugin for WordPress has been identified with a Stored Cross-Site Scripting vulnerability (CVE-2024-10552), discovered on January 24, 2025. The vulnerability affects all versions up to and including 3.14.26, with a partial patch implemented in version 3.14.25. The issue stems from insufficient input sanitization and output escaping in the 'apikey' and 'apisecret' parameters (NVD NIST).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 Base Score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. This indicates a network-accessible vulnerability with low attack complexity, requiring low privileges, no user interaction, and having a changed scope with low impacts on confidentiality and integrity (NVD NIST, Wordfence Intel).

The vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to unauthorized data access or manipulation (NVD NIST).

A partial patch was implemented in version 3.14.25, with further fixes potentially available in subsequent versions. Users are advised to update their Flexmls® IDX Plugin to the latest version available (NVD NIST).