CVE-2024-10896: 
WordPress vulnerability analysis and mitigation

The Logo Slider WordPress plugin before version 4.5.0 contains a stored Cross-Site Scripting (XSS) vulnerability. The plugin fails to properly sanitize and escape some of its Logo and Slider settings, which could allow high privilege users such as Contributors to perform Stored Cross-Site Scripting attacks (WPScan).

The vulnerability exists due to improper sanitization and escaping of Logo and Slider settings. The issue affects multiple fields including the "Brand Name", "Logo Image Height", and "Logo Image Width" fields. The vulnerability has been assigned a CVSS v3.1 score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows authenticated users with Contributor-level privileges to store and execute malicious JavaScript code. When other users, including administrators, edit the affected logo or slider entries, the stored malicious code will be executed in their browser context (WPScan).

Users are advised to update to Logo Slider version 4.5.0 or later, which contains fixes for these security issues. The vulnerability was initially partially fixed in version 4.1.0, but additional attack vectors were discovered and fully patched in version 4.5.0 (WPScan).