CVE-2024-43327: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the WordPress Invite Anyone plugin, affecting versions up to 1.4.7. The vulnerability was reported on July 26, 2024, and publicly disclosed on August 16, 2024. This security issue was assigned CVE-2024-43327 and affects the plugin developed by Boone Gorges (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79), allowing for Reflected Cross-Site Scripting attacks. The severity assessment varies between sources, with NIST assigning a CVSS v3.1 base score of 6.1 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, while Patchstack rates it at 7.1 (High) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L (NVD).

The vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website, which would be executed when guests visit the site. This poses a significant risk as it requires no authentication to exploit (Patchstack).

Users are advised to update to version 1.4.8 or later to resolve the vulnerability. For users of Patchstack, a virtual patch has been issued to mitigate this issue by blocking any attacks until the update to a fixed version can be completed (Patchstack).