CVE-2024-3062: 
WordPress vulnerability analysis and mitigation

The Save as Image Plugin by Pdfcrowd WordPress plugin before version 3.2.2 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and disclosed in early 2024, affecting WordPress installations using the vulnerable plugin versions. The issue specifically impacts high-privilege users such as administrators, particularly in multisite setups where the unfiltered_html capability is disallowed (WPScan).

The vulnerability stems from improper sanitization and escaping of certain plugin settings. Multiple fields in the plugin's settings are vulnerable, including 'Custom Data', 'Custom CSS', and 'Data String'. These fields can be exploited to perform Stored Cross-Site Scripting attacks. The vulnerability has been assigned a CVSS score of 3.5 (low) and is classified under CWE-79, which relates to improper neutralization of input during web page generation (WPScan).

The vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks, even in environments where the unfiltered_html capability is explicitly disallowed. This is particularly significant in multisite WordPress setups where such restrictions are commonly implemented for security purposes (WPScan).

The vulnerability has been patched in version 3.2.2 of the Save as Image Plugin by Pdfcrowd. Users are advised to update to this version or later to mitigate the security risk (WPScan).