CVE-2024-52423: 
NixOS vulnerability analysis and mitigation

CVE-2024-52423 is a Stored Cross-Site Scripting (XSS) vulnerability discovered in the Themify Builder WordPress plugin, affecting versions through 7.6.3. The vulnerability was publicly disclosed on November 13, 2024, and was identified by researcher João Pedro Soares de Alcântara. This security issue affects the Themify Builder plugin, a popular WordPress page builder tool (Patchstack, WPScan).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It received a CVSS v3.1 base score of 5.4 (Medium) from NIST and 6.5 (Medium) from Patchstack. The vulnerability allows authenticated users with contributor-level access and above to inject arbitrary web scripts into pages that will execute whenever a user accesses the injected page, due to insufficient input sanitization and output escaping (NVD, Patchstack).

The vulnerability enables authenticated attackers with contributor-level privileges to inject malicious scripts that can execute in users' browsers when they visit affected pages. This could lead to various attacks including session hijacking, defacement, or the injection of malicious content such as redirects and unwanted advertisements (Patchstack).

The vulnerability has been patched in version 7.6.6 of the Themify Builder plugin. Site administrators are advised to update to this version or later to remediate the security issue. The fix addresses the input sanitization and output escaping issues that allowed the XSS vulnerability (WPScan, Patchstack).