CVE-2024-48049: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in Mighty Plugins Mighty Builder, affecting versions up to 1.0.2. The vulnerability was discovered by researcher Gab and was disclosed on October 14, 2024. This security issue impacts the WordPress plugin Mighty Builder - Drag & Drop WordPress Page Builder (Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 base score of 5.4 (Medium) from NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. Patchstack has assigned a slightly higher CVSS score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L (NVD).

The vulnerability could allow a malicious actor to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when guests visit the affected site. The vulnerability requires at least Contributor-level privileges to exploit (Patchstack).

Currently, no official fix is available for this vulnerability. The issue was reported on October 8, 2024, and an early warning was sent to Patchstack customers on October 14, 2024 (Patchstack).