CVE-2024-0678: 
WordPress vulnerability analysis and mitigation

The Order Delivery Date for WP e-Commerce plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-0678) that affects all versions up to and including 1.2. The vulnerability was discovered and disclosed on February 5, 2024, impacting the WordPress plugin's handling of the 'available-days-tf' parameter (NVD).

The vulnerability stems from insufficient input sanitization and output escaping in the plugin's handling of the 'available-days-tf' parameter. The CVSS v3.1 base score is 6.1 (Medium) according to NVD's assessment (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N), while Wordfence rates it at 6.5 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (NVD).

This vulnerability allows unauthenticated attackers to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an injected page, potentially leading to the compromise of user data and session information (NVD).

Users should update to a version newer than 1.2 if available, or consider implementing additional security controls at the web application level to filter malicious input. The vulnerable code can be found in the plugin's source at line 221 (WordPress Plugin).