CVE-2024-37550: 
WordPress vulnerability analysis and mitigation

A Cross-site Scripting (XSS) vulnerability was discovered in Envato Template Kit – Export WordPress plugin, identified as CVE-2024-37550. The vulnerability affects versions through 1.0.22 of the Template Kit – Export plugin and was disclosed on July 21, 2024. This security issue allows for Stored XSS attacks in the plugin (Patchstack Advisory).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It received a CVSS v3.1 base score of 4.8 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N according to NVD's assessment. Patchstack assigned a slightly higher CVSS score of 5.9 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L (NVD).

The vulnerability could allow a malicious actor to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website, which would be executed when visitors access the site. The impact is considered low severity but could affect website integrity and user experience (Patchstack Advisory).

As of the latest reports, no official fix is available for this vulnerability. The issue affects versions up to 1.0.23 of the Template Kit – Export plugin (Patchstack Advisory).