CVE-2024-43305: 
WordPress vulnerability analysis and mitigation

A Cross-site Scripting (XSS) vulnerability was discovered in the WordPress Custom Layouts – Post + Product grids made easy plugin affecting versions up to 1.4.11. The vulnerability was reported on July 28, 2024, by Ngô Thiên An (ancorn from VNPT-VCI) and was assigned CVE-2024-43305. The issue was publicly disclosed on August 16, 2024 ([Patchstack](https://patchstack.com/database/vulnerability/custom-layouts/wordpress-custom-layouts-post-product-grids-made-easy-plugin-1-4-11-cross-site-scripting-xss-vulnerability?s_id=cve)).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue, identified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability has received a CVSS v3.1 base score of 6.5 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L (Patchstack).

The vulnerability could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into the website which will be executed when guests visit the site. The attack requires contributor-level privileges or higher to exploit (Patchstack).

The vulnerability has been fixed in version 1.4.12 of the Custom Layouts plugin. Users are advised to update to version 1.4.12 or later to remove the vulnerability (Patchstack).