CVE-2024-0597: 
WordPress vulnerability analysis and mitigation

The SEO Plugin by Squirrly SEO for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-0597) affecting all versions up to and including 12.3.15. The vulnerability was discovered and reported by Wordfence, with the initial disclosure on February 5, 2024 (NVD).

The vulnerability stems from insufficient input sanitization and output escaping in the plugin's admin settings. This security flaw has received a CVSS v3.1 base score of 4.8 (MEDIUM) from NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, while Wordfence assigned a slightly lower score of 4.4 (MEDIUM) with vector CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows authenticated attackers with administrator-level permissions to inject arbitrary web scripts into pages. When a user accesses an injected page, the malicious scripts will execute. The scope of impact is limited to multi-site installations and installations where unfiltered_html has been disabled (NVD).

A patch has been released to address this vulnerability. Users should update their SEO Plugin by Squirrly SEO to a version newer than 12.3.15 (WordPress Patch).