CVE-2024-1590: 
WordPress vulnerability analysis and mitigation

The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress has been identified with a Stored Cross-Site Scripting vulnerability (CVE-2024-1590). The vulnerability affects all versions up to and including 1.8.2 of the plugin. This security issue was discovered and reported by Wordfence, with the public disclosure date being February 23, 2024 (NVD, WPScan).

The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes specifically in the plugin's Button Widget. The issue has been assigned CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability has received varying CVSS scores: NIST assigned a CVSS v3.1 base score of 5.4 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Wordfence rated it at 4.6 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N (NVD).

The vulnerability allows authenticated attackers with contributor-level permissions or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to unauthorized data access or manipulation of user interactions (NVD).

The vulnerability has been patched in version 1.8.3 of the Pagelayer plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).