CVE-2024-24878: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the Portugal CTT Tracking for WooCommerce WordPress plugin, affecting versions up to and including 2.1. The vulnerability was identified on February 5, 2024, and was assigned CVE-2024-24878. This security issue affects the PT Woo Plugins (by Webdados) Portugal CTT Tracking for WooCommerce plugin (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It received a CVSS v3.1 base score of 6.1 (MEDIUM) from NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, while Patchstack assigned it a higher score of 7.1 (HIGH) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability stems from insufficient input sanitization and output escaping in the plugin (WPScan).

The vulnerability allows unauthenticated attackers to inject arbitrary web scripts into pages that will execute when users perform specific actions, such as clicking on a malicious link. This could potentially lead to the injection of malicious scripts, redirects, advertisements, and other HTML payloads that would be executed when guests visit the affected site (Patchstack).

The vulnerability has been fixed in version 2.2 of the Portugal CTT Tracking for WooCommerce plugin. Users are advised to update to version 2.2 or later to remove the vulnerability. For Patchstack users, enabling auto-update for vulnerable plugins is recommended as an additional security measure (Patchstack).