CVE-2024-24881: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in VeronaLabs WP SMS – Messaging & SMS Notification for WordPress plugin affecting versions up to 6.5.2. The vulnerability was disclosed on February 5, 2024, and was assigned CVE-2024-24881. The plugin, which provides SMS functionality for WordPress, WooCommerce, and GravityForms, was found to have insufficient input sanitization and output escaping (Patchstack, WPScan).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and specifically involves the 'page' parameter. The CVSS v3.1 scores vary between sources, with NVD rating it at 6.1 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, while Patchstack rates it at 7.1 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L (NVD).

The vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when users perform specific actions, such as clicking on a malicious link. This could potentially lead to the injection of malicious scripts, redirects, advertisements, and other HTML payloads that execute when visitors access the affected site (Patchstack).

The vulnerability has been fixed in version 6.5.3 of the WP SMS plugin. Users are advised to update to this version or later immediately. For those unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack).