CVE-2024-37261: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in WP Lab's WP-Lister Lite for Amazon plugin affecting versions through 2.6.16. The vulnerability was identified and reported by Le Ngoc Anh on May 27, 2024, and was publicly disclosed on June 27, 2024 (Patchstack).

The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation. It received a CVSS v3.1 base score of 6.1 (Medium) from NIST with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, while Patchstack assigned it a higher CVSS score of 7.1 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L (NVD, Patchstack).

The vulnerability could allow malicious actors to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into the website which will be executed when users visit the site. This could potentially lead to theft of sensitive information or manipulation of website content (Patchstack).

Users are advised to update to version 2.6.17 or later to resolve this vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking any attacks until users have updated to a fixed version (Patchstack).