CVE-2024-37259: 
WordPress vulnerability analysis and mitigation

A Cross-site Scripting (XSS) vulnerability was discovered in WP Extended The Ultimate WordPress Toolkit plugin affecting versions through 2.4.7. The vulnerability was reported on May 27, 2024, and publicly disclosed on June 27, 2024 (Patchstack).

The vulnerability is classified as a Reflected XSS issue (CWE-79: Improper Neutralization of Input During Web Page Generation). It received a CVSS v3.1 base score of 6.1 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N from NVD, while Patchstack assigned it a higher score of 7.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L (Patchstack).

This vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website, which would be executed when visitors access the site. The vulnerability is known to be actively exploited (Patchstack).

Users are advised to update to version 3.0.0 or later to resolve the vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking attacks until users can update to a fixed version (Patchstack).