CVE-2024-5600: 
WordPress vulnerability analysis and mitigation

The SCSS Happy Compiler – Compile SCSS to CSS & Automatic Enqueue plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-5600) discovered in July 2024. This vulnerability affects all versions up to and including 1.3.10. The issue exists due to a missing capability check and insufficient sanitization in the import_settings() function (NVD).

The vulnerability stems from improper input validation in the import_settings() function, which lacks both capability checks and adequate sanitization of input data. The CVSS v3.1 base score is 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N, indicating that the vulnerability requires low attack complexity and can be exploited remotely by an authenticated user (NVD).

When successfully exploited, this vulnerability allows authenticated attackers with Subscriber-level access or higher to inject malicious web scripts into the application. This could potentially lead to the execution of unauthorized JavaScript code in users' browsers when viewing affected pages (NVD).

Users should update to a version newer than 1.3.10 when available. Until a patch is released, site administrators should carefully review and potentially restrict user roles that have access to the affected functionality (NVD).