CVE-2024-0420: 
WordPress vulnerability analysis and mitigation

The MapPress Maps for WordPress plugin before version 2.88.15 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2024-0420. The vulnerability was discovered on January 17, 2024, and affects the plugin's map title handling functionality in the WordPress admin dashboard (WPScan).

The vulnerability stems from improper sanitization and escaping of map titles when they are displayed in the admin dashboard. The issue has been assigned a CVSS 3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

When exploited, this vulnerability allows users with Contributor-level permissions or higher to perform Stored Cross-Site Scripting attacks through the map title field. The XSS payload becomes active when any user accesses the post dashboard (/wp-admin/edit.php?post_type=post) (WPScan).

The vulnerability has been patched in version 2.88.15 of the MapPress Maps for WordPress plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).