CVE-2024-49629: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the Endless Posts Navigation WordPress plugin, developed by Fahad Mahmood. The vulnerability affects versions through 2.2.7 and allows for Stored Cross-Site Scripting (XSS) attacks. The issue was initially reported on October 8, 2024, and was publicly disclosed on October 18, 2024 (Patchstack).

The vulnerability has been assigned CVE-2024-49629 and received a CVSS v3.1 base score of 7.1 (High) from Patchstack, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. NIST's NVD assessment provided a slightly lower CVSS score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery) (NVD).

The vulnerability allows malicious actors to force higher privileged users to execute unwanted actions under their current authentication. This CSRF vulnerability can lead to stored XSS attacks, potentially compromising the security of the affected WordPress installations (Patchstack).

Users are advised to update to version 2.2.8 or later of the Endless Posts Navigation plugin to resolve the vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).