CVE-2024-0630: 
WordPress vulnerability analysis and mitigation

The WP RSS Aggregator plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-0630) affecting all versions up to and including 4.23.4. The vulnerability was discovered by Colin Xu and publicly disclosed on January 25, 2024. The issue affects WordPress installations with multi-site configurations and where unfiltered_html has been disabled (Wordfence Advisory, NVD Database).

The vulnerability stems from insufficient input sanitization and output escaping in the RSS feed source functionality. The issue has been assigned a CVSS v3.1 base score of 4.8 (Medium) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, while Wordfence assigned a score of 4.4 (Medium) with vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD Database).

When exploited, this vulnerability allows authenticated attackers with administrator-level access to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to unauthorized data access or manipulation of user interactions (NVD Database).

A patch has been released to address this vulnerability. Website administrators are advised to update their WP RSS Aggregator plugin to a version newer than 4.23.4 (WordPress Patch).