CVE-2024-10632: 
WordPress vulnerability analysis and mitigation

The Nokaut Offers Box WordPress plugin through version 1.4.0 contains a stored Cross-Site Scripting (XSS) vulnerability that affects high-privilege users such as administrators. This vulnerability exists due to improper sanitization and escaping of certain plugin settings, which remains exploitable even when the unfiltered_html capability is disabled, such as in multisite setups (WPScan).

The vulnerability specifically affects the settings tab of the Nokaut Offers Box plugin panel, where the 'Nazwa domyślnego szablonu' field is vulnerable to XSS attacks. The issue has been assigned a CVSS score of 3.5 (low severity). The vulnerability is classified as CWE-79 (Cross-Site Scripting) and falls under the OWASP Top 10 category A7: Cross-Site Scripting (XSS) (WPScan).

When exploited, this vulnerability allows high-privilege users to store and execute malicious JavaScript code in the plugin settings. This could potentially lead to the theft of sensitive data, including cookies and session information, from users who access the affected admin panels (WPScan).

Currently, there is no known fix available for this vulnerability. Users should exercise caution when granting administrative access to their WordPress installations and monitor for any suspicious activity in the plugin settings (WPScan).