CVE-2024-1983: 
WordPress vulnerability analysis and mitigation

The Simple Ajax Chat WordPress plugin (versions before 20240223) contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2024-1983. The vulnerability was discovered and reported on February 28, 2024, affecting the chat functionality where visitors can input malicious names that are reflected unsanitized to other users (WPScan).

The vulnerability stems from insufficient input sanitization and output escaping in the chat name field. The CVSS v3.1 base score is 7.1 (HIGH) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when users access the affected pages (NVD).

When exploited, this vulnerability allows attackers to inject malicious scripts through the chat name field, which are then executed in the browsers of other users viewing the chat. This can lead to potential theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected users' browsers (WPScan).

The vulnerability has been patched in version 20240223 of the Simple Ajax Chat WordPress plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).