CVE-2024-2436: 
WordPress vulnerability analysis and mitigation

The Lightweight Accordion plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability (CVE-2024-2436) affecting all versions up to and including 1.5.16. The vulnerability was discovered and disclosed on April 9, 2024, and affects the plugin's shortcode functionality (Wordfence).

The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes in the plugin's shortcode implementation. The issue has been assigned a CVSS v3.1 base score of 5.4 (Medium) by NIST with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Wordfence assigned a slightly higher score of 6.4 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows authenticated attackers with contributor-level permissions or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page, potentially leading to client-side attacks against site visitors (NVD).

The vulnerability has been patched in version 1.5.17 of the Lightweight Accordion plugin. The update includes security fixes to sanitize outputs and other improvements. Users are advised to update to this latest version (WordPress Plugin).