CVE-2024-56297: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the dn88 Highlight WordPress plugin, tracked as CVE-2024-56297. The vulnerability affects versions through 2.0.2 and was discovered by researcher Pham Van Tam. The issue was publicly disclosed on January 3, 2025, and involves improper neutralization of input during web page generation (Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). It has received a CVSS v3.1 base score of 5.9 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. This indicates that the vulnerability requires high privileges and user interaction to exploit, with potential impacts on confidentiality, integrity, and availability all rated as Low (NVD, Patchstack).

The vulnerability could allow a malicious actor to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when guests visit the affected site (Patchstack).

The vulnerability has been patched in version 2.0.6 of the Highlight plugin. Users are advised to update to version 2.0.6 or later to remove the vulnerability. Patchstack users have the option to enable auto-update for vulnerable plugins (Patchstack).