CVE-2024-10182: 
WordPress vulnerability analysis and mitigation

The Cognito Forms plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-10182) in versions up to and including 2.0.6. The vulnerability was discovered by Peter Thaleikis and publicly disclosed on December 11, 2024. The issue affects the plugin's handling of the 'id' parameter due to insufficient input sanitization and output escaping (WPScan, NVD).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue with a CVSS v3.1 base score of 6.4 (Medium), vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The weakness is identified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability stems from improper sanitization of the 'id' parameter, allowing for the persistent storage of malicious scripts (Wordfence).

When exploited, this vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever any user accesses the compromised page, potentially leading to unauthorized data access or manipulation of user sessions (NVD).

No official fix has been reported as available at the time of disclosure. Users are advised to exercise caution when granting Contributor or higher-level access to their WordPress installations and to monitor for any suspicious activity (WPScan).