CVE-2024-43999: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Saturday Drive Ninja Forms WordPress plugin, affecting versions up to 3.8.11. The vulnerability was identified on August 28, 2024, and was assigned CVE-2024-43999. This security issue specifically impacts multi-site installations and installations where unfiltered_html has been disabled (WPScan).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue, which allows for Stored XSS attacks. The CVSS v3.1 base score is rated as 4.8 (Medium) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, while Patchstack rates it at 5.9 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L (NVD, Patchstack).

The vulnerability allows authenticated attackers with administrator-level access and above to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an injected page, potentially leading to unauthorized actions, data theft, or site manipulation (WPScan).

The vulnerability has been patched in version 3.8.12 of the Ninja Forms plugin. Users are advised to update to this version or later to resolve the security issue (Patchstack).