CVE-2024-24885: 
WordPress vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability was discovered in the Woocommerce Vietnam Checkout plugin, affecting versions through 2.0.7. The vulnerability was identified and reported on February 8, 2024, and tracked as CVE-2024-24885. This security issue stems from improper neutralization of input during web page generation in Lê Văn Toản's Woocommerce Vietnam Checkout plugin for WordPress (NVD CVE, Patchstack Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) by NVD with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Patchstack assessed it with a score of 5.9 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD CVE).

The vulnerability allows malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website, which will be executed when guests visit the site. The attack requires Shop Manager privileges to exploit (Patchstack Advisory).

Users are advised to update to version 2.0.8 or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins (Patchstack Advisory).