CVE-2024-0254: 
WordPress vulnerability analysis and mitigation

The (Simply) Guest Author Name plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-0254) that affects all versions up to and including 4.34. The vulnerability was discovered and disclosed on February 5, 2024 (NVD).

The vulnerability exists due to insufficient input sanitization and output escaping on user-supplied attributes in the plugin's post meta. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N by NIST, while Wordfence assigned a score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows authenticated attackers with contributor-level permissions or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page, potentially leading to data theft or manipulation of user interactions (NVD).

Users should update to a version newer than 4.34 if available. Until an update is applied, it is recommended to restrict access to contributor-level permissions and carefully monitor user activities related to post meta modifications (NVD).