CVE-2024-37206: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in Theme4Press Demo Awesome WordPress plugin, affecting versions through 1.0.1. The vulnerability was reported on January 31, 2024, and publicly disclosed on June 20, 2024. This security issue was assigned CVE-2024-37206 and has been confirmed by both NIST and Patchstack (Patchstack Advisory).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and received a CVSS v3.1 base score of 6.1 (MEDIUM) from NIST with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. Patchstack assigned a slightly higher CVSS score of 7.1 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L (NVD Details).

The vulnerability allows attackers to inject malicious scripts, which could lead to redirects, unauthorized advertisements, and execution of other HTML payloads when users visit the affected website. The impact includes potential data exposure and compromise of user interactions with the affected site (Patchstack Advisory).

Users are advised to update to version 1.0.2 or later of the Demo Awesome plugin to resolve the vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack Advisory).