CVE-2024-0625: 
WordPress vulnerability analysis and mitigation

The WPFront Notification Bar WordPress plugin (versions up to 3.3.2) contains a Stored Cross-Site Scripting vulnerability (CVE-2024-0625) discovered in January 2024. The vulnerability exists in the 'wpfront-notification-bar-options[custom_class]' parameter due to insufficient input sanitization and output escaping (NVD).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue with a CVSS v3.1 base score of 4.8 (Medium) according to NVD, and 4.4 (Medium) according to Wordfence. The vulnerability stems from improper input sanitization and output escaping in the plugin's custom class parameter. This security flaw only affects multi-site installations and installations where unfiltered_html capability has been disabled (NVD, WPScan).

The vulnerability allows authenticated attackers with administrator-level access to inject arbitrary web scripts into pages. These injected scripts will execute whenever a user accesses the affected page. The impact is limited to multi-site installations and installations where unfiltered_html has been disabled (NVD).

The vulnerability has been patched in version 3.4 of the WPFront Notification Bar plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).