CVE-2024-11720: 
WordPress vulnerability analysis and mitigation

The Frontend Admin by DynamiApps plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-11720) affecting all versions up to and including 3.24.5. The vulnerability was discovered and reported by Wordfence, with disclosure on December 14, 2024 (NVD CVE).

The vulnerability stems from insufficient input sanitization and output escaping on the new Taxonomy form. It has been assigned a CVSS v3.1 base score of 7.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD CVE).

When successfully exploited, this vulnerability allows unauthenticated attackers to inject arbitrary web scripts into pages that will execute whenever a user accesses an injected page. However, the exploitation is only possible when lower-level users have been granted access to submit specific forms, which is disabled by default (NVD CVE).

Users should update the Frontend Admin by DynamiApps plugin to a version newer than 3.24.5 to address this vulnerability. Additionally, ensuring that form submission access is properly restricted to trusted users can help mitigate the risk (NVD CVE).