CVE-2024-44040: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Plainware ShiftController Employee Shift Scheduling WordPress plugin, affecting versions up to and including 4.9.64. The vulnerability was disclosed on September 23, 2024, and was assigned CVE-2024-44040. This security issue affects multi-site installations and installations where unfiltered_html has been disabled (WPScan).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) with a CVSS v3.1 base score of 5.9 (Medium). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L, indicating that it requires high privileges and user interaction to exploit (Patchstack).

The vulnerability allows authenticated attackers with administrator-level access and above to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an injected page, potentially leading to compromised user sessions, data theft, or site defacement (WPScan).

The vulnerability has been patched in version 4.9.65 of the ShiftController Employee Shift Scheduling plugin. Users are advised to update to this version or later to remediate the security issue (Patchstack).

The vulnerability was initially discovered and reported by security researcher SOPROBRO on August 15, 2024, and was subsequently published by Patchstack on September 25, 2024 (Patchstack).