CVE-2024-10869: 
WordPress vulnerability analysis and mitigation

The WordPress Brute Force Protection – Stop Brute Force Attacks plugin for WordPress contains a Reflected Cross-Site Scripting vulnerability (CVE-2024-10869) affecting all versions up to and including 2.2.6. This vulnerability was discovered and reported by Wordfence, with a CVSS v3.1 base score of 6.1 (Medium) (NVD, Wordfence).

The vulnerability stems from improper escaping of URL parameters through the use of addqueryarg & removequeryarg functions. The issue is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability has been assigned a CVSS v3.1 Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility with low attack complexity (NVD).

The vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when users perform specific actions, such as clicking on a malicious link. This can lead to potential compromise of user sessions and data exposure (NVD).

Users should upgrade to a version newer than 2.2.6 when available. As this is a recently disclosed vulnerability, specific mitigation details are still emerging (NVD).