CVE-2024-44008: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the WordPress Geo Mashup plugin, affecting versions up to 1.13.12. The vulnerability was identified and reported on September 16, 2024, and was assigned the identifier CVE-2024-44008. The affected software is the Geo Mashup plugin developed by Dylan Kuhn for WordPress installations (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) issue, identified as CWE-79. The CVSS v3.1 base score is rated as 5.4 (Medium) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Patchstack rates it at 6.5 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L (NVD).

The vulnerability could allow a malicious actor to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when guests visit the affected site (Patchstack).

Users are advised to update to version 1.13.13 or later to remediate this vulnerability. Additionally, Patchstack has issued a virtual patch to mitigate this issue by blocking any attacks until users can update to a fixed version (Patchstack).