CVE-2024-3999: 
WordPress vulnerability analysis and mitigation

CVE-2024-3999 affects the EazyDocs WordPress plugin versions before 2.5.0. The vulnerability was discovered and disclosed in July 2024, impacting WordPress installations using the affected plugin versions. The vulnerability stems from improper sanitization and escaping of certain plugin settings (NVD CVE, WPScan Advisory).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue, identified as CWE-79. The CVSS v3.1 base score is 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The vulnerability exists due to insufficient sanitization and escaping of plugin settings, which could allow high-privilege users such as administrators to perform Stored XSS attacks even when the unfiltered_html capability is disallowed, such as in multisite setups (NVD CVE).

The vulnerability allows high-privilege users to perform Stored Cross-Site Scripting attacks, potentially affecting other administrators or users with access to the WordPress dashboard. This is particularly concerning in multisite WordPress installations where the unfiltered_html capability is typically disallowed for security reasons (WPScan Advisory).

The vulnerability has been fixed in EazyDocs version 2.5.0. Site administrators are strongly advised to update to this version or later to mitigate the risk. No alternative workarounds have been published (WPScan Advisory).