CVE-2024-10647: 
WordPress vulnerability analysis and mitigation

The WS Form LITE – Drag & Drop Contact Form Builder for WordPress plugin is affected by a Reflected Cross-Site Scripting vulnerability (CVE-2024-10647) in versions up to and including 1.9.244. The vulnerability was disclosed on November 5, 2024, and affects the WordPress plugin's handling of URL parameters (NVD CVE).

The vulnerability stems from improper use of the remove_query_arg function without appropriate URL escaping. This implementation flaw has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD CVE).

When successfully exploited, this vulnerability allows unauthenticated attackers to inject arbitrary web scripts into pages. These malicious scripts will execute when users are tricked into performing specific actions, such as clicking on a crafted link (NVD CVE).

A patch has been released to address this vulnerability. Users should upgrade their WS Form LITE plugin to a version newer than 1.9.244 to protect against this security issue (WordPress Patch).