CVE-2024-29798: 
WordPress vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability was discovered in Appsmav Gratisfaction plugin versions through 4.3.4. The vulnerability was reported on December 11, 2023, and publicly disclosed on March 25, 2024. This security issue affects WordPress installations using the Gratisfaction plugin, which is an all-in-one loyalty contests and referral program solution for WooCommerce (Patchstack).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue, identified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS v3.1 base score is 6.5 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The vulnerability requires Contributor or higher privileges to exploit (Patchstack).

If exploited, this vulnerability could allow an authenticated attacker to inject malicious scripts into the website. These scripts could be used to redirect users, inject unwanted advertisements, or execute other malicious HTML payloads that would affect visitors to the affected site (Patchstack).

The vulnerability has been fixed in version 4.3.5 of the Gratisfaction plugin. Users are advised to update to version 4.3.5 or later to remove the vulnerability. Patchstack users can enable auto-update functionality for vulnerable plugins (Patchstack).