CVE-2024-4439: 
WordPress vulnerability analysis and mitigation

WordPress Core versions up to 6.5.2 contain a Stored Cross-Site Scripting (XSS) vulnerability (CVE-2024-4439) in the Avatar block due to insufficient output escaping of user display names. The vulnerability was discovered by John Blackbourn of the WordPress security team, with assistance from Mat Rollings, and was patched in WordPress 6.5.2 released on April 9, 2024 (WordPress Release).

The vulnerability stems from insufficient output escaping on display names in the Avatar block, which was introduced in WordPress version 6.0. The issue occurs due to improper order of operations in the escaping and formatting of user-supplied data, where esc_attr() is executed prior to sprintf(), leaving the comment_author and author_name values inadequately escaped before HTML output (Security Online). The vulnerability has been assigned a CVSS score of 7.2 (High) (NVD).

The vulnerability allows both authenticated and unauthenticated attackers to inject malicious web scripts. For authenticated users with contributor-level access or higher, arbitrary web scripts can be injected into pages that execute when viewed. Unauthenticated attackers can exploit the vulnerability on pages where the comment block is present and displays the comment author's avatar (NVD).

WordPress has released version 6.5.2 which includes a patch for this vulnerability. The fix has also been backported to versions starting from 6.1. Site administrators are strongly recommended to update their installations immediately to version 6.5.2 or later. Sites with automatic background updates enabled will receive the update automatically (WordPress Release).