CVE-2024-3996: 
WordPress vulnerability analysis and mitigation

The Smart Post Show WordPress plugin (also known as Post Grid, Post Carousel, & List Category Posts) contains a stored Cross-Site Scripting (XSS) vulnerability affecting versions before 2.4.28. The vulnerability was discovered on March 15, 2024, and was assigned CVE-2024-3996. This security issue specifically impacts high-privilege users such as administrators, particularly in multisite setups where the unfiltered_html capability is disallowed (Wiz, WPScan).

The vulnerability stems from improper sanitization and escaping of certain plugin settings. When creating a new post grid, the 'posttitletag' parameter can be manipulated to inject malicious JavaScript code. The vulnerability has been assigned a CVSS 3.1 Base Score of 6.1 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (Wiz, NVD).

When exploited, this vulnerability allows high-privilege users to perform Stored Cross-Site Scripting attacks. This is particularly significant in multisite setups where the unfiltered_html capability is typically disallowed as a security measure. The impact includes potential execution of arbitrary JavaScript code in users' browsers (WPScan).

The vulnerability has been patched in version 2.4.28 of the plugin. Users are strongly advised to update to this version or later to mitigate the security risk (Wiz, WPScan).