CVE-2024-10145: 
WordPress vulnerability analysis and mitigation

The Hubbub Lite WordPress plugin before version 1.34.4 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2024-10145. The vulnerability was discovered and disclosed in September 2024, affecting the plugin's settings functionality. The issue stems from inadequate sanitization and escaping of certain plugin settings, which impacts WordPress installations, particularly in multisite setups (WPScan).

The vulnerability exists due to improper sanitization and escaping of settings in the plugin's social networks configuration. The issue specifically affects the Inline Content panel where network names can be manipulated to inject malicious scripts. The vulnerability has been assigned a CVSS score of 3.5 (low severity) and is classified under CWE-79 (Cross-Site Scripting) (WPScan).

The vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks, even in environments where the unfiltered_html capability is explicitly disallowed. This is particularly concerning in multisite WordPress setups where content filtering is typically more strictly enforced (WPScan).

The vulnerability has been patched in version 1.34.4 of the Hubbub Lite plugin. Users are strongly advised to update to this version or later to mitigate the security risk (WPScan).