CVE-2024-24886: 
WordPress vulnerability analysis and mitigation

A Cross-site Scripting (XSS) vulnerability was discovered in Acowebs Product Labels For Woocommerce (Sale Badges) plugin affecting versions up to 1.5.3. The vulnerability was reported on December 26, 2023, and publicly disclosed on February 5, 2024 (Patchstack Report).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79), allowing for Stored XSS attacks. The vulnerability has received a CVSS v3.1 base score of 5.4 (Medium) from NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Patchstack assessed it with a score of 5.9 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L (NVD).

The vulnerability could allow a malicious actor to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website, which would be executed when guests visit the site. The attack requires authentication with Shop manager or higher privileges (Patchstack Report).

The vulnerability has been fixed in version 1.5.4 of the Product Labels For Woocommerce plugin. Users are advised to update to version 1.5.4 or later to remove the vulnerability (Patchstack Report).