CVE-2024-49320: 
WordPress vulnerability analysis and mitigation

The Encyclopedia / Glossary / Wiki WordPress plugin contains a Reflected Cross-Site Scripting (XSS) vulnerability in versions up to and including 1.7.60. The vulnerability was discovered by SOPROBRO and publicly disclosed on October 15, 2024, with CVE-2024-49320 assigned (Patchstack).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue due to insufficient input sanitization and output escaping (CWE-79). It has received a CVSS v3.1 base score of 7.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L (NVD).

This vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when users perform certain actions, such as clicking on a malicious link. The successful exploitation could lead to the execution of malicious scripts, including redirects, advertisements, and other HTML payloads on the affected website (WPScan).

The vulnerability has been patched in version 1.7.61 of the Encyclopedia / Glossary / Wiki plugin. Users are advised to update to this version or later immediately. Additionally, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).