CVE-2024-29766: 
WordPress vulnerability analysis and mitigation

The StreamWeasels Twitch Integration WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability affecting versions up to and including 1.7.5. The vulnerability was discovered on March 25, 2024, and was assigned CVE-2024-29766. This security issue affects the StreamWeasels Twitch Integration plugin for WordPress, with a fix available in version 1.7.6 (Patchstack, WPScan).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) due to insufficient input sanitization and output escaping. It has received a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L (Patchstack).

The vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an injected page, potentially leading to the injection of malicious scripts, redirects, advertisements, and other HTML payloads that execute when guests visit the affected site (WPScan, Patchstack).

Users are advised to update to version 1.7.6 or later of the StreamWeasels Twitch Integration plugin to resolve this vulnerability. Patchstack users can enable auto-update functionality for vulnerable plugins as an additional security measure (Patchstack).