CVE-2024-21750: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in Scribit Shortcodes Finder WordPress plugin affecting versions up to 1.5.5. The vulnerability was reported on December 10, 2023, and publicly disclosed on January 10, 2024. This security issue was assigned CVE-2024-21750 and affects the web page generation functionality of the plugin (Patchstack Advisory).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It received a CVSS v3.1 base score of 6.1 (Medium) from NIST with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, while Patchstack assessed it at 7.1 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability requires no authentication to exploit (NVD Database, Patchstack Advisory).

The vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when guests visit the affected site (Patchstack Advisory).

The vulnerability has been fixed in version 1.5.6 of the Shortcodes Finder plugin. Users are advised to update to version 1.5.6 or later immediately. Additionally, Patchstack has issued a virtual patch to mitigate this issue by blocking attacks until users can update to the fixed version (Patchstack Advisory).