CVE-2024-54324: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in Cloud Inn's SMSify WordPress plugin, affecting versions up to 6.0.4. The vulnerability was reported on October 31, 2024, by security researcher Kévin Mosbahi (Mika) and was officially published on December 11, 2024, receiving the identifier CVE-2024-54324 (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It received a CVSS v3.1 base score of 7.1 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability can be exploited without authentication, indicating a lower barrier to exploitation (Patchstack).

This vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the affected website. These injected scripts would be executed when visitors access the compromised site (Patchstack).

The vulnerability has been fixed in version 6.1.0 of the SMSify plugin. Users are advised to update to this version or later immediately. For users of Patchstack, a virtual patch has been issued to mitigate this issue by blocking potential attacks until the update can be applied (Patchstack).