CVE-2024-37480: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in Apollo13Themes Apollo13 Framework Extensions plugin affecting versions up to 1.9.3. The vulnerability was disclosed on July 4, 2024, and tracked as CVE-2024-37480. This security issue affects the WordPress plugin apollo13-framework-extensions and requires authenticated user access with Author or higher privileges (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) issue, identified as CWE-79. It received a CVSS v3.1 base score of 5.4 (Medium) from NIST with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Patchstack assigned it a slightly higher CVSS score of 6.5 (Medium) with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L (NVD).

The vulnerability allows authenticated users with Author or higher privileges to inject malicious scripts into the website. These scripts can be used to create redirects, insert unwanted advertisements, and execute other HTML payloads that will affect visitors to the affected site (Patchstack).

The vulnerability has been patched in version 1.9.4 of the Apollo13 Framework Extensions plugin. Users are advised to update to this version or later to resolve the security issue. Patchstack has also issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).