CVE-2024-10522: 
WordPress vulnerability analysis and mitigation

The Co-marquage service-public.fr plugin for WordPress contains a Reflected Cross-Site Scripting vulnerability (CVE-2024-10522) affecting all versions up to and including 0.5.76. The vulnerability was discovered on November 20, 2024, and stems from improper URL escaping in the addqueryarg function (NVD, WordPress Plugin).

The vulnerability is classified as a Reflected Cross-Site Scripting (XSS) issue, identified as CWE-79 (Improper Neutralization of Input During Web Page Generation). It has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The issue specifically relates to the improper use of the addqueryarg function without appropriate URL escaping (NVD).

When exploited, this vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when users perform specific actions, such as clicking on a malicious link. This can lead to the compromise of user sessions and potential data exposure (NVD).

The vulnerability has been addressed in version 0.5.77 of the plugin. Users are advised to update to this latest version which includes fixes for Cross-Site Scripting in admin notices.class.php and improved variable escaping in template files (WordPress Plugin).