CVE-2024-49670: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in Sam Glover's Client Power Tools Portal WordPress plugin, affecting versions through 1.8.6. The vulnerability was reported on October 14, 2024, and publicly disclosed on October 21, 2024. This security issue was assigned CVE-2024-49670 and affects the WordPress plugin Client Power Tools Portal up to version 1.9.0 (Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received varying CVSS scores from different sources. The National Vulnerability Database (NVD) assigned a CVSS v3.1 base score of 6.1 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, while Patchstack rated it at 7.1 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability requires no authentication to exploit and has a low attack complexity (NVD).

This Cross-Site Scripting vulnerability could allow malicious actors to inject harmful scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when visitors access the affected site, potentially compromising user security and website integrity (Patchstack).

Users are advised to update to version 1.9.1 or later of the Client Power Tools Portal plugin to resolve this vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).