CVE-2024-56274: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Astra Widgets WordPress plugin, affecting versions up to and including 1.2.15. The vulnerability was identified on January 3, 2025, by researcher João Pedro Soares de Alcântara. This security issue allows authenticated users with contributor-level access or higher to inject malicious web scripts into pages (WPScan, Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received varying CVSS scores from different sources. The National Vulnerability Database (NVD) assigned a CVSS v3.1 base score of 5.4 (Medium), while Patchstack rated it at 6.5 (Medium). The vulnerability vector string is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility, low attack complexity, required privileges, and user interaction (NVD).

The vulnerability could allow malicious actors to inject arbitrary web scripts that execute whenever a user accesses an affected page. This creates potential for various attacks including malicious redirects, unauthorized advertisements, and execution of other HTML payloads on the website (Patchstack).

The vulnerability has been patched in version 1.2.16 of the Astra Widgets plugin. Site administrators are advised to update to this version or later to remove the vulnerability. Patchstack users have the option to enable auto-updates for vulnerable plugins (Patchstack).