CVE-2024-50448: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in YITH WooCommerce Product Add-Ons plugin affecting versions up to and including 4.14.1. The vulnerability was identified on October 24, 2024, by security researcher Le Ngoc Anh (Wordfence, Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received varying CVSS v3.1 scores: 6.1 (Medium) from NIST with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, and 7.1 (High) from Patchstack with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The issue stems from insufficient input sanitization and output escaping (WPScan).

The vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when users perform specific actions, such as clicking on a malicious link. This could potentially lead to the injection of malicious scripts, redirects, advertisements, and other HTML payloads that execute when guests visit the affected site (Patchstack).

The vulnerability has been fixed in version 4.14.2 of the YITH WooCommerce Product Add-Ons plugin. Users are advised to update to this version or later immediately. For those unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack).