CVE-2024-13378: 
WordPress vulnerability analysis and mitigation

The Gravity Forms plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-13378) discovered in versions 2.9.0.1 through 2.9.1.3. The vulnerability exists due to insufficient input sanitization and output escaping in the 'style_settings' parameter (NVD, Patchstack).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue with a CVSS v3.1 base score of 5.4 (Medium), with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N. The vulnerability specifically affects the Chrome web browser and requires directly browsing the media file via the attachment post. The issue stems from improper sanitization of the 'style_settings' parameter, which allows for injection of malicious scripts (NVD).

When exploited, this vulnerability allows unauthenticated attackers to inject arbitrary web scripts into pages that will execute whenever a user accesses an injected page. The impact is limited to Chrome web browser users who directly browse the media file via the attachment post (NVD).

The vulnerability has been patched in version 2.9.2 of the Gravity Forms plugin. Users are advised to update to this version or later to resolve the security issue (Gravity Forms Changelog).