CVE-2024-24877: 
WordPress vulnerability analysis and mitigation

The Wonder Slider Lite WordPress plugin contains a Reflected Cross-Site Scripting (XSS) vulnerability affecting versions up to and including 13.9. The vulnerability was discovered by Dimas Maulana and was assigned CVE-2024-24877. The issue stems from insufficient input sanitization and output escaping in the 'page' parameter (WPScan, Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received varying CVSS scores: 6.1 (Medium) from NVD (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) and 7.1 (High) from Patchstack (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L). The vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when users perform specific actions, such as clicking on a malicious link (WPScan).

If successfully exploited, this vulnerability could allow attackers to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when visitors access the affected site (Patchstack).

The vulnerability has been fixed in Wonder Slider Lite version 14.0. Users are advised to update to this version or later to resolve the security issue. Patchstack has also issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).