CVE-2024-3635: 
WordPress vulnerability analysis and mitigation

The Post Grid WordPress plugin before version 7.5.0 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered in September 2024 and affects the Grid settings functionality. The plugin fails to properly sanitize and escape some of its Grid settings, potentially exposing websites to XSS attacks (WPScan, NVD).

The vulnerability exists due to improper input validation in the Grid settings section of the plugin. High privilege users such as Editors and above can exploit this vulnerability by injecting malicious scripts into the Grid settings, which are then stored and executed, even when the unfiltered_html capability is disallowed in multisite setups. The vulnerability has been assigned a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows authenticated users with Editor or higher privileges to perform Stored Cross-Site Scripting attacks. This could potentially lead to the execution of arbitrary JavaScript code in users' browsers when viewing affected pages, even in environments where unfiltered HTML is explicitly disallowed (WPScan).

Website administrators should update The Post Grid plugin to version 7.5.0 or later, which contains the fix for this vulnerability (WPScan).