CVE-2024-5582: 
WordPress vulnerability analysis and mitigation

The Schema & Structured Data for WP & AMP plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-5582) discovered in July 2024. The vulnerability affects all versions up to and including 1.33 and is present in the plugin's 'url' attribute within the Q&A Block widget. This security issue impacts WordPress installations using the affected plugin versions (NVD).

The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes in the Q&A Block widget's 'url' attribute. The issue has been assigned a CVSS v3.1 base score of 5.4 (Medium) by NVD with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Wordfence assigned it a score of 6.4 (Medium). The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

When successfully exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to data theft, session hijacking, or other malicious actions (NVD).

Users should update to version 1.34.1 or later of the Schema & Structured Data for WP & AMP plugin, which contains the security fix. The vulnerability was addressed in version 1.34 with a specific bug fix addressing the reported Wordfence vulnerability (WordPress Plugin).