CVE-2024-54238: 
WordPress vulnerability analysis and mitigation

The Board Document Manager from CHUHPL WordPress plugin contains a Reflected Cross-Site Scripting (XSS) vulnerability (CVE-2024-54238) affecting all versions up to and including 1.9.1. The vulnerability was discovered by Le Ngoc Anh and publicly disclosed on December 5, 2024 (Patchstack).

The vulnerability is classified as a Reflected Cross-Site Scripting (CWE-79) issue due to insufficient input sanitization and output escaping. It has received a CVSS v3.1 base score of 7.1 (High) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L (NVD).

This vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when users perform certain actions, such as clicking on a malicious link. The successful exploitation could lead to theft of sensitive data, session hijacking, or other malicious actions performed in the context of the affected user's browser (WPScan).

Currently, there is no official fix available for this vulnerability. The software appears to be abandoned as it hasn't been updated for over a year. Users are advised to either remove and replace the plugin or implement virtual patching solutions. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack).