CVE-2024-1663: 
WordPress vulnerability analysis and mitigation

The Ultimate Noindex Nofollow Tool II WordPress plugin before version 1.3.6 contains a stored Cross-Site Scripting (XSS) vulnerability, discovered by Bob Matyas and publicly disclosed on February 3, 2024. The vulnerability affects the plugin's settings functionality, specifically impacting WordPress installations, including multisite setups (WPScan Details).

The vulnerability stems from improper sanitization and escaping of settings within the plugin, allowing high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks, even in environments where the unfiltered_html capability is disabled. The vulnerability has been assigned a CVSS score of 4.8 (MEDIUM) with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (NVD Entry, WPScan Details).

When exploited, this vulnerability enables high-privilege users to inject and store malicious JavaScript code in the plugin's settings. The stored XSS can potentially affect other users who access the affected pages, even in environments where HTML filtering is typically enforced (WPScan Details).

The vulnerability has been patched in version 1.3.6 of the Ultimate Noindex Nofollow Tool II plugin. Users are strongly advised to update to this version or later to mitigate the security risk (WPScan Details).