CVE-2024-0657: 
WordPress vulnerability analysis and mitigation

The Internal Link Juicer: SEO Auto Linker for WordPress plugin is vulnerable to Stored Cross-Site Scripting (CVE-2024-0657) in versions up to and including 2.23.4. The vulnerability exists in admin settings such as 'ilj_settings_field_links_per_page' due to insufficient input sanitization and output escaping (NVD).

The vulnerability stems from insufficient input sanitization and output escaping in the plugin's admin settings. The CVSS 3.1 base score is 4.8 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. This indicates that the vulnerability requires network access, low attack complexity, high privileges, and user interaction, with low impact on confidentiality and integrity (NVD).

When exploited, this vulnerability allows authenticated attackers with administrator-level access to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The scope is limited to multi-site installations and installations where unfiltered_html has been disabled (NVD).

Users should update to a version newer than 2.23.4 of the Internal Link Juicer plugin to address this vulnerability. A patch has been made available to fix the insufficient input sanitization and output escaping issues (WordPress Patch).