CVE-2024-53737: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the WP Mailster WordPress plugin, tracked as CVE-2024-53737. The vulnerability affects all versions up to and including 1.8.16.0, and was discovered by researcher Lam Que Chi. The issue was publicly disclosed on November 23, 2024, and has been fixed in version 1.8.17.0 (Patchstack, WPScan).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It received a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L according to Patchstack, while NIST assigned a slightly lower score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability requires Contributor-level access or higher to exploit (Patchstack).

The vulnerability allows authenticated attackers with Contributor-level access or above to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the affected page. This could potentially lead to redirects, unauthorized advertisements, and execution of other malicious HTML payloads on the website (WPScan).

The vulnerability has been patched in version 1.8.17.0 of the WP Mailster plugin. Users are advised to update to this version or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins as an additional security measure (Patchstack).