CVE-2024-4477: 
WordPress vulnerability analysis and mitigation

The WP Logs Book WordPress plugin through version 1.0.1 contains an Unauthenticated Stored Cross-Site Scripting vulnerability (CVE-2024-4477). The vulnerability was discovered and reported by Bob Matyas, with public disclosure on May 31, 2024 (WPScan).

The vulnerability exists because the plugin does not properly sanitize and escape log data before outputting it back in the admin dashboard. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N according to NVD, while CISA-ADP rates it at 4.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L (NVD).

The vulnerability allows unauthenticated attackers to store and execute malicious JavaScript code that will be triggered when administrators view the logs in the WordPress dashboard. This could potentially lead to various attacks including theft of sensitive information or manipulation of admin actions (WPScan).

At the time of disclosure, there was no known fix available for this vulnerability. Users of the WP Logs Book plugin should consider updating to newer versions when available or implementing additional security controls to protect against XSS attacks (WPScan).