CVE-2024-10815: 
WordPress vulnerability analysis and mitigation

The PostLists WordPress plugin through version 2.0.2 contains a Reflected Cross-Site Scripting vulnerability (CVE-2024-10815). The vulnerability was discovered and reported by Bob Matyas, and was publicly disclosed on December 19, 2024. The issue affects the plugin's handling of the $SERVER['REQUESTURI'] parameter, which is not properly escaped before being output in an attribute (WPScan).

The vulnerability stems from improper input validation where the plugin fails to escape the $SERVER['REQUESTURI'] parameter before outputting it back in an attribute. This security flaw has been assigned a CVSS v3.1 base score of 4.2 (Medium) with the following vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N. The vulnerability is specifically classified as CWE-79 and falls under the OWASP Top 10 category A7: Cross-Site Scripting (XSS) (WPScan).

The vulnerability could lead to Reflected Cross-Site Scripting attacks in old web browsers. When successfully exploited, this could allow attackers to execute malicious scripts in the context of the victim's browser session, potentially leading to theft of sensitive information or unauthorized actions (WPScan).

Currently, there is no known fix available for this vulnerability in the PostLists plugin (WPScan).