CVE-2024-0703: 
WordPress vulnerability analysis and mitigation

The Sticky Buttons – floating buttons builder plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-0703) affecting all versions up to and including 3.2.2. The vulnerability was discovered and reported by Wordfence, with the initial disclosure on January 23, 2024 (NVD).

The vulnerability stems from insufficient input sanitization and output escaping in the handling of sticky URLs. The issue has been assigned a CVSS v3.1 base score of 4.8 (Medium) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, while Wordfence assessed it with a score of 4.4 (Medium) with vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

The vulnerability allows authenticated attackers with administrator-level access to inject arbitrary web scripts into pages. When exploited, these malicious scripts will execute whenever a user accesses an injected page. The impact is limited to multi-site installations and installations where unfiltered_html has been disabled (NVD).

A patch has been released to address this vulnerability. Users should update their Sticky Buttons plugin to a version newer than 3.2.2 (Wordpress Patch).