CVE-2024-0239: 
WordPress vulnerability analysis and mitigation

The Contact Form 7 Connector WordPress plugin before version 1.2.3 contains a Reflected Cross-Site Scripting (XSS) vulnerability that affects administrators. The vulnerability was discovered by Krzysztof Zając from CERT PL and was publicly disclosed on January 9, 2024, receiving the identifier CVE-2024-0239 (WPScan).

The vulnerability stems from improper sanitization and escaping of a parameter before it is output back in the page. The CVSS v3.1 base score is 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (NVD).

When exploited, this vulnerability could allow attackers to execute cross-site scripting attacks against administrators of WordPress sites running the vulnerable plugin. The attack requires user interaction and can lead to unauthorized data access or manipulation within the administrator's browser context (WPScan).

The vulnerability has been fixed in version 1.2.3 of the Contact Form 7 Connector plugin. Site administrators are advised to update to this version or later to mitigate the security risk (WPScan).