CVE-2024-6072: 
WordPress vulnerability analysis and mitigation

The wp-cart-for-digital-products WordPress plugin (WP eStore) before version 8.5.5 contains a reflected Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and disclosed on June 24, 2024, and was assigned CVE-2024-6072. The issue affects the plugin's handling of the $SERVER['REQUESTURI'] parameter, which is not properly escaped before being output in an attribute (WPScan).

The vulnerability stems from improper neutralization of input during web page generation (CWE-79). The CVSS v3.1 base score is 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability can be exploited through the admin interface, specifically in the wp-admin/admin.php page with the wpeStorestats parameter (WPScan).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of old web browsers when users access the affected pages. The impact is considered medium severity with potential for limited confidentiality and integrity breaches (NVD).

The vulnerability has been fixed in version 8.5.5 of the wp-cart-for-digital-products plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).