CVE-2024-43986: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in MagePeople Team's Taxi Booking Manager for WooCommerce plugin, affecting versions through 1.0.9. The vulnerability was identified and reported by researcher Sharanabasappa, and was officially assigned CVE-2024-43986 on August 29, 2024 (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It received a CVSS v3.1 base score of 4.8 (MEDIUM) from NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, while Patchstack assigned it a slightly higher score of 5.9 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L (NVD).

The vulnerability allows authenticated attackers with administrator-level permissions to inject arbitrary web scripts into pages that will execute whenever a user accesses an injected page. This primarily affects multi-site installations and installations where unfiltered_html has been disabled (WPScan).

The vulnerability has been fixed in version 1.1.0 of the Taxi Booking Manager for WooCommerce plugin. Users are advised to update to this version or later to remove the vulnerability (Patchstack).