CVE-2024-2399: 
WordPress vulnerability analysis and mitigation

The Premium Addons PRO plugin for WordPress (CVE-2024-2399) contains a Stored Cross-Site Scripting vulnerability in versions up to and including 4.10.23. The vulnerability exists due to insufficient input sanitization and output escaping on user supplied attributes in the plugin's widgets. This security issue was disclosed on March 15, 2024 (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The issue stems from improper neutralization of input during web page generation, classified as CWE-79. The vulnerability affects the plugin's widgets where user-supplied attributes are not properly sanitized and escaped before being output (NVD).

When exploited, this vulnerability allows authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an injected page, potentially leading to client-side attacks against site visitors (NVD).

Users should update to version 4.10.24 or later of the Premium Addons PRO plugin for WordPress, which contains the fix for this vulnerability. The patch addresses the input sanitization and output escaping issues in the affected widgets (WordPress Plugin).