CVE-2024-50469: 
WordPress vulnerability analysis and mitigation

A Cross-site Scripting (XSS) vulnerability was discovered in Team Bright Vessel's Textboxes WordPress plugin, affecting versions up to and including 0.1.3.1. The vulnerability was discovered by SOPROBRO and publicly disclosed on October 24, 2024. This security issue has been assigned CVE-2024-50469 and allows DOM-Based XSS attacks through improper neutralization of input during web page generation (Patchstack, WPScan).

The vulnerability is classified as a Stored Cross-Site Scripting issue (CWE-79) that affects authenticated users with contributor-level access and above. The CVSS v3.1 base score is 6.5 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The security flaw stems from insufficient input sanitization and output escaping in the plugin's functionality (Patchstack).

The vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page, potentially leading to session hijacking, defacement, or other malicious actions (WPScan).

Currently, there is no official fix available for this vulnerability. The issue affects versions up to and including 0.1.3.1 of the Textboxes plugin (WPScan).