CVE-2024-0587: 
WordPress vulnerability analysis and mitigation

The AMP for WP – Accelerated Mobile Pages plugin for WordPress contains a Reflected Cross-Site Scripting vulnerability (CVE-2024-0587) discovered in January 2024. The vulnerability affects all versions up to and including 1.0.92.1. This security issue exists due to insufficient input sanitization and output escaping on the executed JS file, specifically related to the 'disqus_name' parameter (NVD).

The vulnerability is classified as a Reflected Cross-Site Scripting (XSS) issue, categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation). It has received a CVSS v3.1 base score of 6.1 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability specifically involves the 'disqus_name' parameter in the plugin's JavaScript file execution process (Wordfence).

The vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when users perform specific actions, such as clicking on a malicious link. This could potentially lead to the compromise of user data or session information within the context of the affected WordPress site (NVD).

The vulnerability has been patched in version 1.0.93 of the AMP for WP plugin. Site administrators are strongly advised to update to this version or later to protect against this security issue (WPScan).