CVE-2024-54343: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the Connect Contact Form 7 to Constant Contact WordPress plugin, affecting versions up to and including 1.4. The vulnerability was reported on October 24, 2024, and publicly disclosed on December 11, 2024 (Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has been assigned a CVSS v3.1 base score of 7.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The issue allows unauthenticated attackers to inject malicious scripts that can be executed when users visit the affected site (NVD).

This vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when guests visit the affected site, potentially compromising user data and website integrity (Patchstack).

The vulnerability has been patched in version 1.5 of the plugin. Users are advised to update to version 1.5 or later immediately. For users of Patchstack, a virtual patch has been issued to mitigate this issue by blocking any attacks until the update to a fixed version can be completed (Patchstack).