CVE-2024-24804: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the WordPress MW WP Form plugin, identified as CVE-2024-24804. The vulnerability affects versions up to 5.0.6 of the plugin and was discovered by researcher Huynh Tien Si. The issue was publicly disclosed on January 31, 2024, and has been fixed in version 5.1.0 (WPScan, Patchstack).

The vulnerability stems from insufficient input sanitization and output escaping in the MW WP Form plugin. It has been assigned a CVSS score of 6.5 (Low severity) and is classified under CWE-79. The vulnerability falls under the OWASP Top 10 category A3: Injection (Patchstack, WPScan).

This vulnerability allows authenticated attackers with editor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the injected page, potentially leading to unauthorized actions, data theft, or site defacement (WPScan, Patchstack).

The recommended mitigation is to update the MW WP Form plugin to version 5.1.0 or later, which contains the fix for this vulnerability. Website administrators using vulnerable versions should prioritize this update to prevent potential exploitation (Patchstack).