CVE-2024-10471: 
WordPress vulnerability analysis and mitigation

The Everest Forms WordPress plugin before version 3.0.4.2 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2024-10471. The vulnerability was discovered by Dmitrii Ignatyev and publicly disclosed on November 5, 2024. This security issue affects the plugin's settings functionality, specifically impacting installations where high-privilege users such as administrators are present (WPScan).

The vulnerability stems from improper sanitization and escaping of certain settings within the plugin. The issue specifically manifests in the Email Block's 'Custom Required Message' field settings. The CVSS 3.1 score for this vulnerability is 4.8 (MEDIUM) with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility with low attack complexity but requiring high privileges (NVD).

The vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks, even in environments where the unfiltered_html capability is explicitly disallowed, such as in multisite setups. This creates a potential security risk in WordPress installations using the affected versions of the Everest Forms plugin (WPScan).

The vulnerability has been patched in version 3.0.4.2 of the Everest Forms plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).