CVE-2024-54220: 
WordPress vulnerability analysis and mitigation

A Cross-site Scripting (XSS) vulnerability has been identified in Roninwp FAT Services Booking plugin through version 5.6. The vulnerability was discovered and reported by Dave Jong from Patchstack on December 2, 2024, and was assigned CVE-2024-54220. This stored XSS vulnerability affects WordPress installations using the FAT Services Booking plugin (Patchstack Report).

The vulnerability has been classified as a Cross-site Scripting (XSS) issue, specifically falling under CWE-79 (Improper Neutralization of Input During Web Page Generation). It received a CVSS v3.1 base score of 7.1 (High), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability can be exploited by users with Subscriber or higher privileges (Patchstack Report).

This vulnerability allows malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts will be executed when guests visit the affected site, potentially compromising the security and integrity of the website (Patchstack Report).

Currently, no official fix is available for this vulnerability. However, Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website administrators are advised to implement the virtual patch immediately to protect their installations (Patchstack Report).