CVE-2024-49283: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in VillaTheme CURCY, affecting versions through 2.2.3. The vulnerability was reported by Dimas Maulana on August 29, 2024, and was publicly disclosed on October 15, 2024. CURCY is a WordPress plugin that provides multi-currency functionality for WooCommerce (Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has been assigned a CVSS v3.1 score of 7.1 (High). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requires no privileges (PR:N), needs user interaction (UI:R), and has a changed scope (S:C) with low confidentiality, integrity, and availability impacts (C:L/I:L/A:L) (Patchstack).

This vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when guests visit the affected site, potentially compromising user data and website integrity (Patchstack).

The vulnerability has been patched in version 2.2.4 of the CURCY plugin. Website administrators are advised to update to this version or later immediately. Patchstack has also issued a virtual patch to mitigate this issue by blocking attacks until users can update to the fixed version (Patchstack).