CVE-2024-22287: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the Better Anchor Links WordPress plugin, developed by Luděk Melichar. The vulnerability affects all versions up to and including 1.7.5, and it can lead to Cross-Site Scripting (XSS) attacks. The vulnerability was initially reported on January 3, 2024, and was publicly disclosed on January 16, 2024 (Patchstack Database).

The vulnerability has been assigned CVE-2024-22287 and has received varying CVSS v3.1 severity ratings. The National Institute of Standards and Technology (NIST) assessed it with a base score of 6.1 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, while Patchstack rated it at 7.1 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery) (NVD).

The vulnerability allows unauthenticated attackers to perform Cross-Site Request Forgery attacks that can lead to Cross-Site Scripting exploitation. This combination of vulnerabilities could potentially allow attackers to execute unwanted actions under the context of authenticated users and inject malicious scripts (Patchstack Database).

While no official patch is currently available, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks. Website owners using the Better Anchor Links plugin are advised to implement additional security measures until an official fix becomes available (Patchstack Database).