CVE-2024-43948: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the WP Armour Extended WordPress plugin, identified as CVE-2024-43948. The vulnerability affects versions up to and including 1.26 of the plugin, with a fix available in version 1.32. The issue was discovered by Dave Jong and was publicly disclosed on August 26, 2024 (WPScan, Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and stems from insufficient input sanitization and output escaping in the plugin. It has received varying CVSS scores: NIST assigned a CVSS v3.1 base score of 6.1 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, while Patchstack rated it at 7.1 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L (NVD).

The vulnerability allows unauthenticated attackers to inject arbitrary web scripts into pages that will execute when users perform specific actions, such as clicking on a malicious link. This could enable attackers to inject malicious scripts, redirects, advertisements, and other HTML payloads that would be executed when guests visit the affected site (Patchstack).

The primary mitigation is to update the WP Armour Extended plugin to version 1.32 or later. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until the update can be applied (Patchstack).