CVE-2024-49288: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in VillaTheme Email Template Customizer for WooCommerce affecting versions up to 1.2.5. The vulnerability was identified and reported on October 15, 2024, and assigned CVE-2024-49288. This security issue affects the plugin's admin settings functionality and impacts WordPress installations where the plugin is active (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) with a CVSS v3.1 base score of 5.9 (Medium). The issue stems from insufficient input sanitization and output escaping in the admin settings. This vulnerability particularly affects multi-site installations and installations where unfiltered_html has been disabled (WPScan).

The vulnerability allows authenticated attackers with shop manager-level permissions and above to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an injected page, potentially leading to various security implications including redirects, unwanted advertisements, and other malicious HTML payloads being executed on visitors' browsers (Patchstack).

The vulnerability has been fixed in version 1.2.9.2 of the plugin. Users are advised to update to version 1.2.9.2 or later to remove the vulnerability. Patchstack users have the option to enable auto-update for vulnerable plugins (Patchstack).