CVE-2024-10554: 
WordPress vulnerability analysis and mitigation

The WordPress WP-Advanced-Search plugin before version 3.3.9.3 contains a stored Cross-Site Scripting (XSS) vulnerability. This security issue was discovered and publicly disclosed on March 3, 2025 (WPScan Details).

The vulnerability stems from improper sanitization and escaping of certain plugin settings. This security flaw allows high-privilege users, such as administrators, to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed, which is particularly concerning in multisite setups. The vulnerability has been assigned a CVSS v3.1 score of 3.5 (Low) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N (NVD Database).

When exploited, this vulnerability allows attackers with administrative privileges to store and execute malicious JavaScript code on the website. This can potentially affect other users viewing the Advanced Search functionality, leading to client-side attacks (WPScan Details).

The vulnerability has been patched in version 3.3.9.3 of the WP-Advanced-Search plugin. Website administrators are advised to update to this version or later to mitigate the security risk (WPScan Details).