Cyber Posture

CVE-2024-12633

High

Published: 07 January 2025

Published
07 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0107 77.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12633 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.1 (High).

Operationally, ranked in the top 22.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mandates validation and sanitization of inputs like the 'page' parameter to block injection of arbitrary web scripts.

SI-15 Information Output Filtering good match
prevent

Requires filtering and escaping of information outputs to prevent reflected XSS payloads from executing in users' browsers.

SI-2 Flaw Remediation good match
prevent

Ensures identification, reporting, and correction of flaws like this XSS vulnerability through timely patching of the affected WordPress plugin.

NVD Description

The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘page parameter in all versions up to, and including, 5.6.17 due to insufficient input sanitization and output…

more

escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Deeper analysisAI

CVE-2024-12633 is a reflected cross-site scripting (XSS) vulnerability in the JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress, affecting all versions up to and including 5.6.17. The issue arises from insufficient input sanitization and output escaping of the 'page' parameter, allowing arbitrary web scripts to be injected into pages.

Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity and no privileges required, but it necessitates user interaction such as clicking a malicious link. Successful exploitation leads to script execution in the victim's browser, with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating low impacts on confidentiality, integrity, and availability but elevated severity due to changed scope.

Advisories reference a patch in WordPress plugin Trac changeset 3209054 at https://plugins.trac.wordpress.org/changeset/3209054/joomsport-sports-league-results-management. Additional threat intelligence is available from Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/b4503e2c-0d0d-45de-a597-baace44a98a7?source=cve.

Details

CWE(s)
CWE-79

Affected Products

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2026-2101Shared CWE-79
CVE-2025-0817Shared CWE-79
CVE-2025-22751Shared CWE-79
CVE-2024-26006Shared CWE-79
CVE-2025-7760Shared CWE-79
CVE-2026-30862Shared CWE-79
CVE-2025-67614Shared CWE-79
CVE-2025-23489Shared CWE-79
CVE-2026-23807Shared CWE-79
CVE-2025-26989Shared CWE-79

References