CVE-2024-10180: 
WordPress vulnerability analysis and mitigation

The Contact Form 7 – Repeatable Fields plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 2.0.1. The vulnerability was discovered in the plugin's field_group shortcode due to insufficient input sanitization and output escaping on user-supplied attributes. The issue was addressed in version 2.0.2, released on October 22, 2024 (WordPress Plugin).

The vulnerability stems from inadequate sanitization of user-supplied attributes in the field_group shortcode functionality. This security flaw allows authenticated users with contributor-level access or higher to inject arbitrary web scripts into pages. The vulnerability has been assigned a CVSS v3.1 score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD Database).

When exploited, the vulnerability allows attackers to inject malicious web scripts that execute whenever a user accesses an affected page. This can lead to unauthorized access to sensitive information and potential manipulation of user data within the context of the affected WordPress site (NVD Database).

The vulnerability has been patched in version 2.0.2 of the Contact Form 7 – Repeatable Fields plugin. Site administrators should immediately update to this version, which implements proper sanitization of wrapper div attributes. The update also includes several security improvements, including updates to various node packages to address potential security issues (WordPress Plugin).