CVE-2024-49700: 
WordPress vulnerability analysis and mitigation

The ARPrice WordPress plugin versions up to 4.1.3 contains a Reflected Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-49700. The vulnerability was discovered by researcher Bonds and publicly disclosed on January 3, 2025. This security issue affects the WordPress pricing table plugin ARPrice and was fixed in version 4.2 (WPScan, Patchstack).

The vulnerability is classified as a Reflected Cross-Site Scripting (XSS) issue that stems from insufficient input sanitization and output escaping in the plugin. It has been assigned a CVSS score of 7.1 (High), indicating significant severity. The vulnerability falls under the OWASP Top 10 category A7: Cross-Site Scripting (XSS) and is classified as CWE-79 (WPScan).

The vulnerability allows unauthenticated attackers to inject arbitrary web scripts into pages that will execute if they can successfully trick users into performing specific actions, such as clicking on a malicious link. This could potentially lead to the execution of malicious scripts, including redirects, advertisements, and other HTML payloads on the affected website (Patchstack).

Website administrators are advised to update the ARPrice plugin to version 4.2 or later, which contains the fix for this vulnerability. For users of Patchstack, a virtual patch has been issued to mitigate this issue by blocking potential attacks until the update can be applied (Patchstack).