CVE-2024-21744: 
WordPress vulnerability analysis and mitigation

A Cross-site Scripting (XSS) vulnerability was discovered in Mapster Technology Inc.'s Mapster WP Maps WordPress plugin, identified as CVE-2024-21744. The vulnerability affects all versions through 1.2.38 and was disclosed on January 8, 2024. This stored XSS vulnerability impacts the WordPress plugin that allows users to create and manage maps (NVD, Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). It has received a CVSS v3.1 base score of 5.4 (Medium) from NVD with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Patchstack assigned a slightly higher CVSS score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L (NVD).

The vulnerability allows attackers with contributor-level access or above to inject malicious scripts into the website. These scripts can be used to create redirects, insert unwanted advertisements, and execute other HTML payloads that will affect visitors to the affected site (Patchstack).

The vulnerability has been fixed in version 1.2.39 of the Mapster WP Maps plugin. Users are advised to update to this version or later to remove the vulnerability. The security issue is considered to have a low severity impact and is unlikely to be exploited (Patchstack).

The vulnerability was initially reported by security researcher Khalid Yusuf on October 2, 2023. Patchstack issued an early warning to their customers on January 5, 2024, before the public disclosure on January 7, 2024 (Patchstack).