CVE-2024-3410: 
WordPress vulnerability analysis and mitigation

The DN Footer Contacts WordPress plugin before version 1.6.3 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and publicly disclosed on June 18, 2024, affecting the plugin's settings functionality (WPScan).

The vulnerability stems from inadequate sanitization and escaping of certain plugin settings. This security flaw could be exploited by users with high privileges, such as administrators, to perform Stored Cross-Site Scripting attacks, even in environments where the unfiltered_html capability is disabled, such as in multisite setups. The vulnerability has been assigned a CVSS v3.1 score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L (NVD).

The vulnerability allows high-privileged users to inject malicious JavaScript code that gets stored in the plugin's settings and executed when other users visit the affected pages. This could potentially lead to session hijacking, credential theft, or other client-side attacks against site visitors (WPScan).

The vulnerability has been patched in version 1.6.3 of the DN Footer Contacts plugin. Site administrators should update to this version or later to mitigate the security risk (WPScan).